CharlieKirk GRABBER
CharlieKirk Grabber (aka KirkG) is a Python-based information stealer targeting Windows systems, first seen in the wild in February 2026 and reported as open-sourced on GitHub. It is typically delivered via phishing emails, cracked software packages, game cheat downloads, and social media lures, and uses Turning Point USA/Charlie Kirk-themed political imagery for social engineering.
The malware is commonly distributed as a standalone Windows executable packaged with PyInstaller. It is described as a fast “smash-and-grab” stealer: after execution it profiles the host (username, hostname, hardware UUID, external IP), terminates browser processes via TASKKILL to access browser credential stores, and collects stored login credentials, browser cookies, session data, autofill entries, browsing history, and saved Wi‑Fi credentials (via NETSH). It also gathers system details using SYSTEMINFO and uses PowerShell to add Microsoft Defender exclusions.
CharlieKirk Grabber is modular and builder-based, allowing operators to enable/disable collection modules and configure command-and-control/exfiltration options. It can use Discord webhooks or the Telegram bot API for C2/notification. Stolen data is bundled into a ZIP archive, uploaded to the GoFile file-hosting service (gofile.io), and the resulting download link is sent back to the operator over HTTPS via Discord/Telegram.
Known indicators mentioned include an associated filename CharlieKirk.exe (reported size 19.58 MB), MD5 598adf7491ff46f6b88d83841609b5cc, and SHA-256 f56afcdfd07386ecc127aa237c1a045332e4cc5822a9bcc77994d8882f074dd1. Network-relevant services explicitly referenced for monitoring include Discord, Telegram, and GoFile.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
1 technique
Stealth
Credential Access
3 techniques
Credential Access
“The stolen data — covering passwords, cookies, autofill entries, browsing history, and Wi-Fi credentials…”
Discovery
2 techniques
Discovery
Collection
1 technique
Collection
Exfiltration
2 techniques
Exfiltration
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information stealer family mentioned as active in the wild.
Information-stealing malware family mentioned as active in the wild; specific capabilities not detailed in the provided content beyond being a stealer/grabber.
Open-sourced infostealer intended to harvest sensitive information/credentials from infected hosts.
Python-based Windows infostealer packaged as a PyInstaller-built executable. It rapidly collects credentials and session data (browser passwords/cookies/autofill/history, Wi‑Fi credentials), profiles the host (username/hostname/HW UUID/external IP), kills browser processes to access password stores, archives data to ZIP, exfiltrates to GoFile, and notifies operators via Discord webhook or Telegram bot. Uses living-off-the-land tools (TASKKILL, NETSH, SYSTEMINFO, PowerShell) and attempts to add Microsoft Defender exclusions; may attempt UAC elevation and persistence via scheduled tasks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.