StealBit
StealBit is LockBit’s bespoke data-exfiltration malware/tool, developed and maintained by the LockBit ransomware-as-a-service operation (tracked in one source as GOLD MYSTIC) and provided to affiliates to steal victim data during intrusions. It was introduced with LockBit 2.0 in 2021 and continued to be used by LockBit 3.0 affiliates as part of LockBit’s double-extortion model, often alongside alternatives such as rclone and file-sharing services including MEGA. Multiple sources state it was intended to facilitate or accelerate exfiltration of data stolen in LockBit attacks, and one source notes it was marketed by LockBit as faster than Rclone.
Observed behavior in the provided content includes use of the Windows Socket networking library to communicate with attacker-controlled endpoints; use of interprocess communication (IPC) to designate multiple files for exfiltration in a scalable manner; anti-analysis checks to detect execution under a debugger, with one description stating it enters an empty infinite loop if a debugger is detected; and execution guardrails based on system locale, with StealBit determining system location from the default language setting and refusing to execute on systems in former Soviet countries. One source also states it can configure processes to suppress certain Windows error messages via NtSetInformationProcess.
Operationally, StealBit is closely associated with LockBit intrusions across sectors targeted by LockBit affiliates, including enterprises, critical infrastructure, hospitals, schools, government entities, and other organizations affected by the broader LockBit ecosystem. The content notes that StealBit source code was discovered by law enforcement during investigations into LockBit infrastructure and developer activity, and that Operation Cronos seized StealBit-related infrastructure in three countries. Mentioned filenames/masquerades include "send.exe" and "sender.exe".
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
StealBit — a tool developed by GOLD MYSTIC to facilitate data exfiltration in LockBit ransomware intrusions
"the GSOC investigates the StealBit malware, a data exfiltration tool that the LockBit threat group develops and maintains... Ransomware operators use StealBit to exfiltrate data from compromised systems for double extortion purposes."
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesStealth
8 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Woody RAT 'has suppressed all error reporting by calling SetErrorMode with 0x8007 as a parameter'; StealBit 'can configure processes to not display certain Windows error messages by through use of the NtSetInformationProcess.'
Many entries explicitly describe deleting artifacts 'to cover tracks,' 'evade detection,' 'remove evidence,' 'reduce their footprint,' or as part of 'post-intrusion cleanup process.' Examples include APT28 deleting files to cover tracks, FIN5 using SDelete to clean up the environment, and Dragonfly deleting operational files as part of cleanup.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Discovery
4 techniquesThe content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Multiple malware families (e.g., Avaddon, Bazar, Clop, Ryuk, REvil, LockBit, Zeus Panda) check OS language/keyboard layout/locale and terminate or alter execution if the system matches excluded languages (commonly Russian/CIS) or does not match desired target languages (e.g., Spanish/Portuguese, Arabic, Persian).
Collection
1 techniqueDistinctively, the Clop ransomware group primarily focused on extortion through data theft rather than typical encryption tactics.
Command and Control
2 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Exfiltration
4 techniquesOn that repository, law enforcement also discovered source code for LockBit’s StealBit tool, which helped LockBit affiliates exfiltrate data stolen through LockBit attacks.
The data was exfiltrated over a 90-minute period, likely via the StealBit tool, prior to execution of the ransomware.
LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0; rclone, an open-source command line cloud storage manager; and publicly available file sharing services, such as MEGA, to exfiltrate sensitive company data files before encryption
Impact
1 technique“Twisted Spider is the first ransomware gang to steal sensitive data and use it for a second extortion demand. LockBit was one of the early adopters of this tactic…” and “LockBit developed its own data exfiltration tool called ‘StealBit’…”
Other
2 techniquesThe content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A LockBit-associated data theft utility introduced alongside LockBit 2.0 to exfiltrate files as part of double-extortion operations.
Stealbit is a tool used by the LockBit group to exfiltrate data from victim networks prior to or during ransomware attacks, facilitating double extortion tactics.
LockBit 운영에서 데이터 유출(탈취)을 수행하기 위해 사용되는 전용 도구로 언급된다.
A custom data exfiltration tool developed by GOLD MYSTIC for use in LockBit intrusions, used to steal victim data prior to extortion and possible publication on LockBit infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.