A new cyber threat, dubbed Hannibal Stealer, has surfaced as a rebranded and cracked variant of the Sharp and TX stealers, originally promoted by the reverse engineering group ‘llcppc_reverse.’
Developed in C# and leveraging the .NET Framework, this information-stealing malware poses a significant risk by targeting a wide array of sensitive data.
Hannibal Stealer focuses on Chromium- and Gecko-based browsers, bypassing advanced protections like Chrome Cookie V20 to extract credentials, cookies, and autofill data.
.png
)
Its reach extends beyond browsers, harvesting data from cryptocurrency wallets such as MetaMask, Exodus, and Monero, alongside FTP clients like FileZilla and Total Commander.
Additionally, it targets VPN credentials, Steam sessions, Telegram files, and Discord tokens, while employing clipboard hijacking via a crypto clipper module to redirect cryptocurrency transactions to attacker-controlled wallets.
Advanced Tactics and Active Underground Presence
First advertised on BreachForums on February 2, 2025, with subscription pricing ranging from $150 for one month to $650 for seven months, Hannibal Stealer has been aggressively marketed across dark web platforms and Telegram channels, boasting nearly 10,000 subscribers on its primary channel.
The malware exhibits advanced evasion tactics, including geofencing to terminate execution in specific countries like Russia and Belarus, likely to avoid prosecution in the developers’ home regions.
According to Cyfirma Report, it also employs domain-matching to prioritize high-value targets by scanning stolen data for credentials tied to financial and crypto platforms like Binance and PayPal.
Hannibal’s comprehensive system profiling capabilities gather detailed hardware and network information, while its data exfiltration is streamlined through a Django-based control panel for managing stolen logs, tokens, and screenshots.
Recent updates as of April 19, 2025, indicate ongoing development, with active infrastructure and installation services priced from $15 for 100 test installs to $900 for 20,000 installs, pointing to a robust cybercriminal ecosystem.
Hannibal Stealer’s ties to earlier Sharp and TX variants are evident through overlapping Telegram handles and marketing patterns on dark web forums, suggesting minimal innovation beyond rebranding and updated exfiltration methods, such as transitioning from Telegram to custom C2 servers.
Its dual role in financial cybercrime and ideological agendas, highlighted by endorsements of hacktivist causes on Telegram, underscores a worrying convergence of motives in the threat landscape.
The malware aligns with multiple MITRE ATT&CK techniques, including process injection (T1055), credential dumping (T1003), and exfiltration over C2 channels (T1041), making it a formidable tool for cybercriminals.
Organizations are urged to bolster defenses by blocking these IOCs, deploying EDR solutions, and monitoring for unauthorized access to sensitive data directories to mitigate the risks posed by Hannibal Stealer.
Indicators of Compromise (IOCs)
| Sr. No. | Indicator | Type | Remarks |
|---|---|---|---|
| 1 | f69330c83662ef3dd691f730cc05d9c4439666ef363531417901a86e7c4d31c8 | SHA256 | CefSharp.BrowsersSubprocess.exe |
| 2 | 251d313029b900f1060b5aef7914cc258f937b7b4de9aa6c83b1d6c02b36863e | SHA256 | CefSharp.BrowsersSubprocess.dll |
| 3 | hXXp://45.61.151[.60/login/ | URL | Control Panel |
| 4 | 45[.]61.141.160:8001/login/ | URL | Control Panel |
| 5 | www[.]hannibal[.]dev | URL | Control Panel |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
