Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

PICKPOCKET

PICKPOCKET is a credential theft tool associated with OilRig/APT34. It is used to dump passwords stored in web browsers and has been described as extracting website login credentials from Chrome, Firefox, and Internet Explorer to a file. FireEye reported tracking the tool since at least May 2018 and identified a variant during a late-June 2019 phishing campaign attributed to APT34 that targeted organizations primarily in the energy and utilities, government, and oil and gas sectors in the Middle East. In that investigation, FireEye found PICKPOCKET hosted on the same C2 infrastructure as other APT34 malware families including TONEDEAF, VALUEVAULT, and LONGWATCH. The reported PICKPOCKET samples were PE86.dll (MD5: d8abe843db508048b4d4db748f92a103) and PE64.dll (MD5: 6eca9c2b7cf12c247032aae28419319e). The content also notes OilRig used PICKPOCKET alongside other credential-access tooling such as LaZagne and VALUEVAULT.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
OilRig

OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.

via mitre attack websiteattack.mitre.org
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Credential Access

2 techniques
T1003OS Credential DumpingEvidence1
TacticCredential Access

APT3 has used tools to dump passwords from browsers... Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims... Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources.

T1555.003Credentials from Web BrowsersEvidence5
TacticCredential Access

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
huntio blogNews
Jun 12, 2025
Stealth Falcon’s Zero-Day Offensive, OilRig’s Supply Chain Escalation, and the Evolving Middle Eastern APT Landscape

Credential stealer used by OilRig for harvesting credentials from compromised systems.

Read more
fireeyeNews
Jul 18, 2019
Hard Pass: Declining APT34’s Invite to Join Their Professional Network | FireEye Inc

Browser credential theft tool (32- and 64-bit DLL variants observed) that dumps saved website login credentials from Chrome, Firefox, and Internet Explorer; reported as exclusively used by APT34 in FireEye’s tracking.

Read more
mitre attack websiteNews
Mar 7, 2018
Credentials from Password Stores: Credentials from Web Browsers, Sub-technique T1555.003 - Enterprise | MITRE ATT&CK®

Tool used to dump passwords from web browsers.

Read more
mitre attackNews
Jan 25, 2026
Credentials from Password Stores: Credentials from Web Browsers, Sub-technique T1555.003 - Enterprise | MITRE ATT&CK®

Tool used to dump passwords from web browsers.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.