Glove Stealer is an information-stealing malware family first publicly documented in November 2024 and described as written in .NET, with later reporting assessing some samples as a Python-based port/evolution of the same family. It has been distributed in phishing campaigns using ClickFix-style social engineering, including HTML attachments that display fake errors and instruct victims to execute attacker-provided scripts via PowerShell or the Windows Run prompt. Reporting also describes lures that mimic troubleshooting or fixing tools, and one campaign targeting Roblox exploit and cheat users with a trojanized .NET WPF application that stages a PyInstaller-packed Python 3.12 payload.
Core functionality centers on theft of browser and application data. Glove Stealer targets browser cookies, saved credentials, autofill data, and other browser artifacts, including Firefox and Chromium-family browsers. It also targets cryptocurrency wallets, 2FA authenticators, password managers, email clients, gaming platforms, hundreds of browser extensions, and more than 80 locally installed applications. Named targets include Google Authenticator, Microsoft Authenticator, Aegis, LastPass, Bitwarden, KeePass, Thunderbird, Steam, and Battle.net. Staged data has been reported in folders/files such as AllPws.txt, INFS.txt, Cookies, Autofill, Restore, OTP, and Wallets. Host fingerprinting collected in INFS.txt included OS details, computer name, username, RAM, language, and CPU information.
A notable capability is bypass of Google Chrome App-Bound Encryption (ABE). Multiple reports state Glove Stealer uses a dedicated supporting module, including a .NET helper saved as %PROGRAMFILES%\Google\Chrome\Application\zagent.exe, to abuse Chromium’s IElevator service and retrieve the protected key from the Local State file. Gen Digital described it as the first widely documented family invoking the Elevation Service via IElevator to retrieve the wrapped key. Later reporting on a Python-based variant describes a more advanced ABE bypass matrix including IElevator COM abuse, debugger hardware breakpoints, double-DPAPI impersonation using an LSASS SYSTEM token, DLL injection into a suspended Chrome process, and UAC registry hijacking.
Behavior reported for the .NET family includes repeatedly terminating browser-related processes containing names such as chrome, yandex, browser, msedge, opera, brave, chromium, and CryptoTab; staging stolen data under a path derived from Environment.SpecialFolder.Recent and an MD5 hash based on the computer name and disk serial number; compressing collected data; encrypting the exfiltration package with 3DES in ECB mode using a key derived from DateTime.Now.Ticks and MD5; and exfiltrating the encrypted archive to attacker-controlled infrastructure. Reported network infrastructure associated with the .NET campaign includes master.volt-texs[.]online and master.hdsjfkgsadoghdsiougds[.]space, used for payload delivery, execution signaling, key backup, and exfiltration. Reported SHA-256 indicators for that campaign include 2bf6fab237ab58ae6cfe78f9a61ab6dcaf55f437cb7a77878e2e6aae3b208e80, 56da496329d54587c31119d8878a7831a9814a92839aa6a9873ceeb91575b11a, and 86ad4082e086a0b9a22dc91a16d0d9be38232975ab4d3d035224fb6d6cc7a44c.
The Python-based port described in later reporting adds anti-analysis and persistence features, including AMSI patching, ETW suppression, repeated Defender tampering, AppLocker evasion through relocation to trusted directories, Discord-based exfiltration and bot C2, and persistence via scheduled task, HKCU Run key, Startup VBS, COM hijack, PowerShell profile modification, and WMI ActiveScriptEventConsumer. That reporting also states the malware steals Roblox cookies, browser data, MetaMask vault data, developer secrets from notes and files, and Google account artifacts such as SAPISID-derived access to Gmail API data.
Association is high-confidence at the family level only: Glove Stealer has been directly linked to phishing/ClickFix-style delivery and Chrome ABE bypass via IElevator. Separate Ontinue reporting explicitly stated another developer-targeting ABE-stealer did not technically match Glove Stealer, though it was considered a close technique neighbor.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
36 distinct techniques documented for this family, organized by ATT&CK tactic.
this campaign started with a user receiving a phishing email. Along with the e-mail, typically an attachment is present in HTML format.
Along with the e-mail, typically an attachment is present in HTML format. An HTML page like this contains typical ClickFix motives, showing a crafted fake error message stating that some content couldn’t be accessed properly, then advising the user how to fix it.
Scheduled Task : Creates WindowsDefenderAgent configured to run at user logon with highest privileges.
The instructions then prompt the user to paste and execute it via a PowerShell terminal or a Run prompt on Windows
It queries local preferences via PowerShell: (Get-MpPreference).ExclusionPath -contains '<current_directory_path>' ... Add-MpPreference -ExclusionPath "<current_directory_path>" ... A background daemon thread periodically loops a PowerShell command ( Set-MpPreference -DisableRealtimeMonitoring $true... )
Scheduled Task : Creates WindowsDefenderAgent configured to run at user logon with highest privileges.
WMI Event Subscriber : Registers an ActiveScriptEventConsumer tied to a Win32_LogonSession event filter, ensuring execution via the WMI subsystem upon boot.
PowerShell Profile Append : Appends execution calls directly into %USERPROFILE%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 .
COM Hijack : Hijacks a common CLSID to load the malicious payload upon targeted Windows shell operations.
Scheduled Task : Creates WindowsDefenderAgent configured to run at user logon with highest privileges.
The pasted command redirects victims to an obfuscated PowerShell loader that injects a native AEB helper into a live browser process.
Because Roblox executors must hook game processes, inject dynamic link libraries (DLLs), and patch system memory...
Double DPAPI Impersonation: Enables SeDebugPrivilege , duplicates the SYSTEM token from lsass.exe , and executes double DPAPI calls to decrypt machine-level bound ABE keys.
WMI Event Subscriber : Registers an ActiveScriptEventConsumer tied to a Win32_LogonSession event filter, ensuring execution via the WMI subsystem upon boot.
PowerShell Profile Append : Appends execution calls directly into %USERPROFILE%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 .
COM Hijack : Hijacks a common CLSID to load the malicious payload upon targeted Windows shell operations.
Registry Run Key : Inserts a payload path under HKCU\Software\Microsoft\Windows\CurrentVersion\Run . Startup VBS : Writes %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefenderAgent.vbs to execute the binary windowlessly.
As a result, Glove Stealer needs to acquire local admin privileges first to use this supporting module.
To trigger the required UAC prompt silently, the loader uses the runas verb within the ProcessStartInfo configuration... UAC Registry Hijack: If integrity limitations block strategies 2 or 3, it writes a payload launcher command to HKCU\Software\Classes\ms-settings\Shell\Open\command and calls fodhelper.exe or computerdefaults.exe to auto-elevate
the script copied and executed by the user invokes a PowerShell command encoded by Base64... The payload is downloaded from the server as a text... just Base64 encoded.
Threat actors exploit this brand recognition and 'security fatigue' to distribute highly evasive trojanized payloads disguised as legitimate execution tools... the initial stage is a .NET 4.8 Windows Presentation Foundation (WPF) application that presents a functional executor GUI complete with live DeepSeek AI integration.
The pasted command redirects victims to an obfuscated PowerShell loader that injects a native AEB helper into a live browser process.
Because Roblox executors must hook game processes, inject dynamic link libraries (DLLs), and patch system memory...
Double DPAPI Impersonation: Enables SeDebugPrivilege , duplicates the SYSTEM token from lsass.exe , and executes double DPAPI calls to decrypt machine-level bound ABE keys.
If detected, the payload enters a 120-240 second sleep cycle and silently terminates. This function relies entirely on process-name detection, lacking traditional hardware, VM registry, or CPU timing checks.
Google Account Harvesting: It extracts SAPISID and __Secure-3PAPISID cookies to forge a SAPISIDHASH authorization header, directly querying the live Gmail API
It focuses on browser data (cookies, autofill, …)... The cookies, wallets and other possible data are not obtained just from the browsers
A synchronous run of browsers.collect(abe_key) ensures decrypted browser cookies and tokens are immediately available ... remaining modules (wallets, Discord, Telegram, password managers, note scanning).
Sandbox Evasion: The _is_sandbox() method queries active processes using psutil against a blacklist ( idaq.exe , x64dbg.exe , procmon.exe , wireshark.exe ).
The file INFS.txt contains a fingerprint of the device, including details like the OS, computer and username, maximum available RAM, language, CPU information and more.
The malware then pings another C&C server... This address is used multiple times during the malware execution to indicate successfully passing certain stages and submitting other data
the campaign employs a multi-stage execution model, relying on remote dead-drop configuration points ... Pastebin ... MediaFire ... It actively hits internal Roblox APIs ... directly querying the live Gmail API ... | These chunks are transmitted to the AES-decrypted Discord Webhook URL ... pausing for exactly 1 second between requests to defeat API rate limiting.
Defender Exclusion Hooking ... Add-MpPreference -ExclusionPath ... Active Memory Patching: It locates amsi.dll and overwrites the entry point of AmsiOpenSession ... It simultaneously patches ntdll.dll!EtwEventWrite with c3 ( ret ) to blind system telemetry. Background Exclusion Maintenance: ... Set-MpPreference -DisableRealtimeMonitoring $true...
15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An information-stealing malware family ported here to Python, designed to harvest browser data, Roblox cookies, developer secrets, crypto wallet material, notes, and Google account data while using AMSI/ETW patching, Defender tampering, Discord-based C2, and multiple persistence mechanisms.
A stealer family that abuses Chrome’s Elevation Service via IElevator to recover App-Bound Encryption-protected keys and steal sensitive browser data.
An infostealer previously documented as abusing Chromium's IElevator interface via a helper module communicating over a named pipe to recover protected browser data.
Glove Stealer is a stealer malware that uses a supporting module to bypass app-bound encryption via the IElevator service. It is distributed via phishing emails and masquerades as a troubleshooting tool.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.