KuinaExtractor Rust Infostealer Evolves With Chrome ABE Bypass and k0to Rebrand
ID: cc0bce6f-9ed0-59d0-9af5-00466c8356ce
STIX ID: report--cc0bce6f-9ed0-59d0-9af5-00466c8356ce
Feed Name: Cyber Press
A Rust-based information stealer first observed in December 2025 (initially KuinaExtractor, later rebranded to k0to) has matured into a sophisticated, actively used threat. The malware targets browser cookies and sessions (including Steam and crypto wallets), implements a Chrome App-Bound Encryption bypass by impersonating LSASS to recover master keys, employs VM/sandbox detection and a custom HTTP/TLS stack to evade analysis, and shifted exfiltration from Discord webhooks to a Telegram bot. Multiple variants (KuinaCookieExtractor, Zenith) and persistent operational evidence — shared mutex names, build paths, developer Telegram handles, and a Vietnamese-hosted control panel — indicate ongoing development and active use by a likely single operator in Vietnam.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
