logo

KuinaExtractor Rust Infostealer Evolves With Chrome ABE Bypass and k0to Rebrand

ID: cc0bce6f-9ed0-59d0-9af5-00466c8356ce

STIX ID: report--cc0bce6f-9ed0-59d0-9af5-00466c8356ce

Feed Name: Cyber Press

Threat Score
75/100

Date Published: 2026-06-26

Date Updated: 2026-06-26

Author: Varshini

...
...

A Rust-based information stealer first observed in December 2025 (initially KuinaExtractor, later rebranded to k0to) has matured into a sophisticated, actively used threat. The malware targets browser cookies and sessions (including Steam and crypto wallets), implements a Chrome App-Bound Encryption bypass by impersonating LSASS to recover master keys, employs VM/sandbox detection and a custom HTTP/TLS stack to evade analysis, and shifted exfiltration from Discord webhooks to a Telegram bot. Multiple variants (KuinaCookieExtractor, Zenith) and persistent operational evidence — shared mutex names, build paths, developer Telegram handles, and a Vietnamese-hosted control panel — indicate ongoing development and active use by a likely single operator in Vietnam.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.