Phemedrone
Phemedrone is an open-source C# infostealer distributed mainly via Telegram and previously via GitHub. It is available free to threat actors, with regular updates to its builder and panel, and has been observed in the wild as both Phemedrone and related variants. The malware is designed to steal credentials and other sensitive data from Windows systems, including passwords, cookies, credit cards, browser data, Discord tokens, cryptowallet data, FileZilla configuration, Steam files, Telegram account data, VPN-related data, screenshots, and selected local files from Desktop and My Documents.
Phemedrone targets Chromium-based and Firefox/Gecko-based browsers and numerous browser extensions, including cryptocurrency wallets and password managers such as MetaMask, Trust Wallet, Coinbase Wallet, Phantom Wallet, Bitwarden, LastPass, KeePassXC, Ledger Live, Trezor, Google Authenticator, Microsoft Authenticator, Authy, and Duo Mobile. It parses stolen passwords and cookies locally on the victim machine and categorizes them with tags to help operators identify valuable logs; default tags include Russian-focused financial and service targets such as Tinkoff, Sberbank, YooMoney, and FunPay. It also steals Discord tokens from LevelDB data using the regex string "dQw4w9WgXcQdQw4w9WgXcQ:[^"]*", searches for wallet.dat and other hardcoded wallet targets, steals FileZilla recentservers.xml and sitemanager.xml, captures a screenshot after installation, steals Steam ssfn files and config.vdf, extracts Telegram tdata and related registry information, and targets VPN clients including OpenVPN, ProtonVPN, and SurfShark. Its FileGrabber component can collect files from Desktop and My Documents based on configured size and depth limits. It generates an Information.txt file containing victim system information, counts of stolen passwords and cookies, and tag results.
Observed behavior includes system-information gathering and geolocation lookup. In its GetGeoInformation() method, Phemedrone contacts hxxp://ip-api[.]com/json/?fields=11827 to retrieve geolocation and related host metadata. It can generate random user agents for communications and supports multiple exfiltration modes: gate sender, panel sender, and Telegram sender. The Telegram sender can encrypt exfiltrated logs with AES and RSA before sending them. Anti-analysis features mentioned in the content include anti-debugger checks, anti-VM checks, a mutex check, and an optional CIS keyboard-language exclusion check that is disabled by default in the builder. The malware has also been reported as capable of bypassing App-Bound Encryption.
The content associates Phemedrone with broad infostealer activity rather than a specific named threat actor. Distribution noted in the provided material includes Telegram-based availability and mention of Phemedrone variants in malware campaigns spread through malicious YouTube videos advertising game cheats, hacks, and software cracks. SpyCloud recaptured logs indicate infections were observed globally, with the United States accounting for 20.00% of observed logs, followed by the Netherlands at 19.00%, the Republic of Korea at 18.58%, and Russia at 2.36%.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Others include StealC, RedLine, Odebug and other Phemedrone variants, and NodeJS loaders and downloaders.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueGather Victim Network Information - T1590.005 7 out of the 17 malware families analyzed by STRT were observed collecting network-related information, such as the public IP address, geographic location, and other metadata, by querying external IP-lookup web services.
Privilege Escalation
1 techniqueMultiple families have successfully bypassed App-Bound Encryption including Phemedrone, LummaC2, Meduza, Vidar, StealC, Rhadamanthys, WhiteSnake, Meta, and Lumar.
Stealth
3 techniquesPhemedrone contains several anti-analysis checks which can be enabled during the build phase of the malware. If any of the checks described below are successful, Phemedrone exits.
Credential Access
3 techniquesPhemedrone will target Discord tokens by accessing the Discord leveldb database, stored on a victim’s computer. It will then regex for “dQw4w9WgXcQdQw4w9WgXcQ:[^\”]*”, which it will use to extract the victim’s Discord token for authentication purposes.
Phemedrone steals data from the internal Chromium/Firefox storage databases that store passwords, credit cards, cookies, and more.
Phemedrone accesses a variety of Chromium and Firefox/Gecko based browsers in order to steal data from them. Phemedrone steals data from the internal Chromium/Firefox storage databases that store passwords, credit cards, cookies, and more.
Discovery
4 techniquesPhemedrone contains several anti-analysis checks which can be enabled during the build phase of the malware. If any of the checks described below are successful, Phemedrone exits.
Anti-VM Phemedrone’s anti-VM check checks the victim’s computer for the following virtual machine (VM) strings, which indicate that Phemedrone is being run in a VM.
CIS check Phemedrone has a check that checks if a victim is a speaker of the following languages spoken in Commonwealth of Independent States (CIS) countries, by using a keyboard language check.
Collection
3 techniquesPhemedrone also includes a basic filegrabber, which will iterate through My Documents and Desktop and steal all files based on config supplied max file size and directory depth.
Phemedrone will automatically obtain a screenshot of the victim’s screen post installation for exfiltration.
The Telegram sender also has an option to encrypt all logs sent with this method, so that the logs are not sitting in Telegram unencrypted. Phemedrone leverages a basic AES + RSA encryption algorithm for all logs.
Command and Control
1 techniquePhemedrone’s gate sender allows actors using Phemedrone to specify a C2 that hosts the Phemedrone gate.php script. Bots that connect to this php gate will send their logs there.
Exfiltration
1 techniquePhemedrone’s Telegram sender allows actors to specify a Telegram channel/telegram bot as the preferred destination for exfiltrated logs.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Stealer malware that gathers victim network and geolocation information by querying external IP-lookup services such as ip-api.com.
A named malware family (and variants) distributed through malicious YouTube videos/links in the “YouTube Ghost Network” operation; specific functionality is not described in the provided content.
Identified as one of multiple malware families reported to have successfully bypassed App-Bound Encryption.
Open-source C# infostealer distributed mainly via Telegram. It steals browser data, cookies, passwords, credit cards, cryptowallet data, Discord tokens, files, FileZilla data, screenshots, Steam and Telegram session data, and VPN configuration data; it also supports tagging stolen data, anti-analysis checks, multiple exfiltration methods, and AES+RSA-encrypted Telegram exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.