Myth Stealer Uncovered: Rust Malware Spreading via Fake Gaming Sites, Stealing Browser Data
Do Son 
Myth Stealer presented as a crack of a game cheating software in an online forum
Cybersecurity specialists at Trellix have uncovered a previously undocumented malware strain written in Rust, dubbed Myth Stealer, which is disseminated through counterfeit gaming websites. Masquerading as legitimate software, the malware presents a fake installation window while silently decrypting and executing a malicious component in the background, designed to harvest sensitive user data.
Initially released in December 2024 via a Telegram channel as part of a beta-testing initiative, Myth Stealer has since evolved into a Malware-as-a-Service (MaaS) operation. It is capable of exfiltrating passwords, cookies, and autofill data from Chromium- and Gecko-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Mozilla Firefox.
The operators behind Myth Stealer aggressively marketed their services through Telegram channels, which also featured user testimonials and the sale of compromised accounts. These channels were eventually shut down. The malware is primarily distributed through websites advertising fake video games—one such site hosted on Google’s Blogger platform claimed to offer beta versions of games for testing. A similar method had previously been employed in the dissemination of another malware, AgeoStealer, as reported by Flashpoint in April 2025.
Myth Stealer has also been detected in a rogue build posing as a cracked cheat utility for the game DDrace, made available on a public forum. Regardless of the delivery vector, victims are shown a counterfeit installation prompt while the data-stealing payload activates discreetly in the background.
Attackers embedded the malicious code within a 64-bit DLL, programmed to terminate browser processes to facilitate unimpeded data theft. Exfiltrated information is transmitted either to a remote command-and-control server or via Discord webhooks. To evade detection and resist reverse engineering, the malware incorporates string obfuscation techniques and checks the system environment based on username and filesystem signatures. Its functionality is regularly updated, with recent additions including screen capture and clipboard harvesting.
Myth Stealer is not the sole instance of game cheats being exploited as malware delivery mechanisms. Just yesterday, we reported on another threat named Blitz, propagated through tampered cheat tools and pirated installers of legitimate software.
Simultaneously, researchers at CYFIRMA identified a new C#-based remote access trojan named DuplexSpy on GitHub, first appearing in April 2025. Although marketed as a tool for “ethical demonstration and education,” DuplexSpy possesses an extensive arsenal of surveillance and system manipulation capabilities.
The malware achieves persistence by copying itself to system autostart locations and altering Windows registry keys, employing fileless execution and privilege escalation techniques. Its features include a keylogger, screen grabber, webcam and microphone monitoring, remote shell access, and anti-analysis measures.
Additionally, DuplexSpy can play arbitrary audio on infected machines, execute system-level commands such as rebooting, shutting down, logging off, and initiating sleep mode. It can also overlay a full-screen ransom-like message, effectively locking out the user by simulating a system freeze or ransom demand.
Against this backdrop, Positive Technologies has reported that several threat actor groups—TA558, Blind Eagle, Aggah, PhaseShifters, and PhantomControl—are actively leveraging a cryptographic obfuscation service known as Crypters And Tools. This service facilitates the concealment of malicious components like the Ande Loader and is distributed via the nitrosoftwares[.]com platform, which offers a wide array of offensive tools—from exploits and packers to keyloggers and cryptojackers.
Targeted regions include the United States, Eastern Europe—including Russia—and Latin America.
Donate