Hexon Stealer: New Malware Threatens Discord, Crypto Wallets

A new malicious tool, Hexon Stealer, has emerged in cyberspace, posing a significant threat to both organizations and individual users. This sophisticated infostealer is designed to exfiltrate sensitive information, including Discord tokens, passwords, browser cookies, and cryptocurrency wallets, while granting attackers full control over compromised devices.

Developed using the Electron Framework, Hexon Stealer is disseminated through Telegram channels. Cyfirma researchers highlight that this malware not only facilitates data theft but also enables remote command execution, including screen capture, keyboard and mouse manipulation, sending fraudulent messages, and even conducting ransom negotiations without relying on external communication channels.

In August, the creators of Hexon Stealer began actively promoting their tool via Telegram, later rebranding it as Hexon Grabber. Analysts discovered that Hexon Stealer is an enhanced version of the previously hacked Stealit Stealer, whose source code was leaked publicly following a successful operation by a group of researchers.

The malware employs advanced stealth techniques, including JavaScript obfuscation and the creation of archived files for streamlined data exfiltration. Its developers have incorporated robust anti-analysis mechanisms using complex obfuscators, making detection and investigation considerably more challenging.

Beyond data theft, Hexon Stealer provides attackers with access to critical system functions such as shutting down, restarting, or locking the device. It is also utilized to compromise gaming accounts and manipulate cryptocurrency assets, including wallets like Exodus.

An international team of researchers has traced the likely origins of Hexon Stealer to developers in Turkey. This conclusion is based on source code analysis and the discovery of Turkish-language comments embedded within the HTML structures of a website linked to the malware.

The tool is distributed via specialized platforms such as Telegram and Signal, where it is offered on a subscription basis. Its developers provide weekly, monthly, and annual pricing plans, along with an intuitive interface for managing stolen information.

The growing popularity of data stealers like Hexon Stealer underscores the urgent need to fortify cybersecurity defenses. Experts recommend adopting multilayered security measures, keeping systems updated, conducting regular audits, and training employees to mitigate potential risks.