WebBrowserPassView
WebBrowserPassView is a NirSoft credential-dumping utility used to extract usernames and passwords saved in web browsers on Windows systems. The provided content consistently describes it as a browser credential theft or password recovery tool that can dump browser-stored credentials, including via command-line execution and optional output to a file path specified with the /stext argument. It is also described as closed source, which limits easy modification compared with open-source alternatives such as LaZagne.
Across the cited reporting, WebBrowserPassView is used by multiple threat actors and intrusion sets as post-compromise credential access tooling. Kimsuky is repeatedly reported to have used NirSoft WebBrowserPassView to dump passwords from victims, including alongside malicious browser extensions used to steal passwords and cookies. Cisco Talos also reported its use in an intrusion at a Taiwanese government-affiliated research institute attributed with medium confidence to APT41, where the actor used WebBrowserPassView together with Mimikatz and other tooling to harvest credentials after initial access. Another Talos report describes a Kimsuky campaign in which a trojanized WebBrowserPassView v2.11 payload was injected to harvest browser credentials and write them to disk for later exfiltration. Additional reporting in the content states that Lazarus-linked activity downloaded, decrypted, and executed WebBrowserPassView to extract browser-related credentials and exfiltrate them with system information to a C2 server. The tool is also mentioned in ransomware and cybercrime intrusions, including Qilin affiliate activity and campaigns targeting trucking and logistics companies, where it was deployed after initial access for credential harvesting.
Behaviorally, the content ties WebBrowserPassView to browser credential dumping from fixed browser storage locations and to MITRE ATT&CK browser credential access activity. Detection-oriented reporting notes that successful extraction may not be reliably confirmed from logs unless the tool saves output to a file, and recommends monitoring process creation and file-access telemetry around browser credential stores. High-confidence indicators directly mentioned in the content include execution as WebBrowserPassView.exe and use of the /stext argument to write extracted credentials to a specified file.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
WebBrowserPassView, a NirSoft tool that extracts stored web browser credentials to the file path specified with the /stext argument.
Credential Theft: WebBrowserPassView is downloaded, decrypted and executed to extract browser-related credentials. Those credentials, together with system information, are exfiltrated to the command-and-control (C2) server.
Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.
Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.
The actor uses Mimikatz to harvest the hashes from the lsass process address space and WebBrowserPassView to get all credentials stored in the web browsers.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueGopherWhisper uses the publicly available WebBrowserPassView.
Initial Access
1 techniquePersistence
1 techniquePrivilege Escalation
2 techniquesStealth
2 techniquesCredential Access
4 techniquesCredential Access [TA0006]... Tools such as Mimikatz, Lazagne, and WebBrowserPassView remain popular and prominent.
WebBrowserPassView is a free password recovery tool that reveals the passwords stored by IE, Mozilla Firefox, Google Chrome, and Opera.
WebBrowserPassView is a free password recovery tool that reveals the passwords stored by IE, Mozilla Firefox, Google Chrome, and Opera.
WebBrowserPassView can gather credentials from a number of browsers.
Command and Control
1 technique“ScreenConnect would then be used to download an additional attacker toolset.”
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate password recovery tool abused by attackers to extract saved browser credentials from compromised systems.
NirSoft credential recovery utility used to extract saved web browser passwords for credential harvesting.
A credential-dumping utility used here to extract browser-stored credentials and exfiltrate them to a C2 server.
A password recovery and credential access tool used to extract stored browser credentials during attacks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.