ACCE Release Notes v2.6.20240628

This release consists of the following:

  • ShadowStealer (open-source project), including derivative stealers SamsStealer and XDdox
  • SideLang variants (aka NSIXloader)
  • DinodasRAT (aka Linodas, XDealer)
  • WarmCookie Backdoor
  • CSharp-Streamer RAT (aka eightpod)
  • Release Crypter (CT named malware)
  • Ghostlord Stealer
  • Captian Stealer
  • BlankOBFv2
  • Luna Grabber Nuitka-compiled and Python code variants
  • Enviar Stealer
  • ZouZouZi Crypter and Stealer (CT named malware)
  • GlorySprout malware
  • Taurus Stealer
  • Baxxxlock Locker and Downloader
  • W4SP Stealer
  • NerbianRAT and MiniNerbian
  • WarpWire Stealer
  • PieHop / LightWork malware
  • Poseidon Loader and Stealer
  • Niki malware


In mid-June, X user @crep1x posted about XDdox v2 Stealer (by YASH Hacking Team), which they identified was previously analyzed as SamsStealer by Cyfirma. Further research into XDdox and SamsStealer revealed that both are derivative works of the open source ShadowStealer. Additional samples of ShadowStealer revealed reported authors TWD-Officials, webcarding, @Hackster_OP, and “ARMAN X ALAMIN” (Telegram Channel @TEAMBLACKBERRY).

The ACCE ShadowStealer module reports the Telegram URL and the author and Telegram channel, when available.


X user @suyog41 has previously posted information about Ghostly Stealer (see blog post from April), and identified that Ghostly has since been rebranded as Ghostlord.

Research on the initial sample from @suyog41’s post revealed the usage of BlankOBFv2, an updated version of an open-source Python obfuscator we observed in March. BlankOBFv2 has three possible Crypter layers in addition to variable and integer obfuscation (though binary operations):

  • zlib compression and XOR encoding
  • zlib compression, Base64 encoding, and converting the result to a series of “IP addresses”
  • zlib compression, Base64 encoding, data splitting, and appending/prepending erroneous data to each split buffer

We identified numerous usages of BlankOBFv2, including PyInstaller compiled, Nuitka compiled, Python scripts, and PYC samples. The payloads varied and included Ghostly, Ghostlord, Captian Stealer, Luna Grabber, Enviar Stealer, and a Crypter and Grabber for malware we are referring to as ZouZouZi based on the uploaded filename and copyright for multiple samples.


Elastic Security Labs and eSentire published reporting on a backdoor named WarmCookie which contains RC4 encrypted strings stored in buffers consisting of a 32-bit data size, 4 byte RC4 key, and the encrypted data. Elastic additionally released an IDAPython script for decrypting WarmCookie strings.

We added a WarmCookie ACCE module leveraging Dragodis and Rugosa, which is compatible with both IDA and Ghidra, and have additionally added it to our open-source ACCE parsers.

Posted in Uncategorized and tagged , .