Valkyrie Stealer

Earlier activity from January 2023 shows the same business model under different product names, with offers such as “Stealer/RAT 100% FUD undetect dm! with reverse shell”.

Then it parses the payload’s PE header, scans DLL exports for “ReflectiveLoader” and allocates memory inside the target browser’s process (e.g., chrome.exe) This injection is performed specifically to bypass App-Bound Encryption (ABE) by executing within the trusted application’s context.

Then it parses the payload’s PE header, scans DLL exports for “ReflectiveLoader” and allocates memory inside the target browser’s process (e.g., chrome.exe) This injection is performed specifically to bypass App-Bound Encryption (ABE) by executing within the trusted application’s context.

Before execution, Valkyrie performs numerous checks to detect virtualization, sandboxes, analysis tools, and low-resource systems. This includes process checks, registry inspection, hardware/resource validation, blacklist comparisons (MAC/IP/HWID), screen resolution checks, and a 3-minute watchdog timer.

CPU core count & RAM check Next it checks the system hardware to detect low-resource sandbox environments. It first retrieves the CPU core count using GetSystemInfo; if the system reports fewer than two cores... If the total memory is below 2048 MB (2 GB), the malware logs “Low RAM”

Before the DLL can be reflectively loaded into memory, Valkyrie decrypts it using a ChaCha20 encryption routine... Then it parses the payload’s PE header, scans DLL exports for “ReflectiveLoader”

It fills the structure with strings and signatures matching popular virtualization platforms, sandbox environments, and debugging tools... ollydbg, idaq, ida64, windbg, x32dbg, x64dbg, ghidra, cheatengine, dnspy...

Valkyrie iterates over all extracted Discord tokens and validates each one through the official users/@me API endpoint. For every token that resolves to a real Discord profile, the stealer builds a structured object containing the victim’s username, discriminator, user ID, email, phone, and token.

The most recent example is his Valkyrie Stealer, advertised on May 3, 2026 with the pitch “Valkyrie Stealer Services check my profile!! stealing passwords cookies wallets 200kb loader undetectable need affiliates”.

The injected payload targets Chromium-based browsers (Chrome, Edge, Brave) by recovering the AES master key and parsing profile databases using internal SQLite engine.

This file contains the encrypted_key field, which is a DPAPI-protected blob that contains the AES key used by the browser to encrypt passwords, cookies, and other records... These blobs are decrypted using the AES key previously extracted from the browser’s Local State file.

the actor claimed to be developing a new sideloading-based crypter designed to leverage EV code-signing certificates to remain fully undetectable by SmartScreen, web browsers, and EDR/AV solutions.

Next Valkyrie iterates over a hardcoded list of registry paths... It attempts to open every key in the list under HKEY_LOCAL_MACHINE using RegOpenKeyExA... compared to “vbox”, “virtual”, “vmware”, “qemu”, and “xen”.

Valkyrie enumerates running processes using CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW. For each process entry, it extracts the PID and executable name and stores both values into the output array.

System Info Next the malware collect system information from the infected device: Host Name Username HWID MAC Address CPU brand GPU adapters RAM Free Disk Space Total Disk Space Windows version Windows build number

Before execution, Valkyrie performs numerous checks to detect virtualization, sandboxes, analysis tools, and low-resource systems. This includes process checks, registry inspection, hardware/resource validation, blacklist comparisons (MAC/IP/HWID), screen resolution checks, and a 3-minute watchdog timer.

CPU core count & RAM check Next it checks the system hardware to detect low-resource sandbox environments. It first retrieves the CPU core count using GetSystemInfo; if the system reports fewer than two cores... If the total memory is below 2048 MB (2 GB), the malware logs “Low RAM”

It fills the structure with strings and signatures matching popular virtualization platforms, sandbox environments, and debugging tools... ollydbg, idaq, ida64, windbg, x32dbg, x64dbg, ghidra, cheatengine, dnspy...

Valkyrie Stealer is a multi-stage, modular data-theft framework designed to harvest a wide range of sensitive information from compromised Windows systems... browser data extraction, messaging-app session theft, game-account data collection, cryptocurrency-wallet theft

Valkyrie captures a full-screen desktop image using standard GDI calls... The final file is saved as: %TEMP%\Valkyrie\screenshot.bmp

Data Packaging, Encryption & Exfiltration All stolen data is compressed into a ZIP archive and encrypted using AES-GCM.

If Minizip Compression fails and enough time remains, the malware tries PowerShell-based ZIP compressor by Building a PowerShell command: powershell.exe -NoProfile -ExecutionPolicy Bypass -Command ... [IO.Compression.ZipFile]::CreateFromDirectory

Exfiltration occurs via an HTTP POST request to /api/log with encrypted payloads and system metadata.

To obtain the primary C2 domain, Valkyrie sends an HTTP GET request to the following Steam profile... The extracted value is not an actual username, but an encrypted token. Valkyrie decrypts this token to obtain the real primary C2 domain: lylred[.]space | For C2 resolution, Valkyrie dynamically retrieves its primary server from a Steam profile and uses a fallback domain if needed.

The stealer sends the data to the C2 using an HTTP POST request to /api/log ... including ... encrypted blob and a data_json field containing host reconnaissance profile.