Unpacking KiwiStealer: Diving into BITTER APT’s Malware for File Exfiltration
ID: 1c316a1e-dbf0-5a64-a43b-0dcf6957b7cc
STIX ID: report--1c316a1e-dbf0-5a64-a43b-0dcf6957b7cc
Feed Name: Pulsedive Blog
Threat Score
KiwiStealer is a relatively simple file‑stealer observed in 2024–2025 and attributed to the Bitter APT; it collects system information, enumerates and filters files by extension, size (<50MB) and modification time (within one year), and exfiltrates selected files to a hardcoded C2 via HTTP POST (ebeninstallsvc.com/uplh4ppy.php). The report includes sample hashes, PCAPs showing exfiltrated RTF and JPG files, decoded C2 URIs, IOCs, MITRE ATT&CK mappings, and mitigation recommendations (EDR/AV and user education).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.