This new Windows botnet could drain your crypto wallet

A white padlock on a dark digital background.
(Image credit:

Cybersecurity experts have recently spotted a brand new botnet, whose endgame has not yet been revealed.

First found in October 2021 by researchers from ZeroFox, the botnet, named Kraken, targets Windows-powered endpoints, and deploys various malware to the affected devices, including the RedLine Stealer malware.

RedLine Stealer is currently one of the most popular infostealers out there, capable of grabbing entire identities from browsers, obtaining data such as saved passwords, autocomplete data, or credit card information. Furthermore, it also grabs system inventory data, such as username, location data, hardware configuration, and software details. 

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> <a href="" data-link-merchant=""" target="_blank">Click here to start the survey in a new window <<

Distributing RedLine Stealer

"Monitoring commands sent to Kraken victims from October 2021 through December 2021 revealed that the operator had focused entirely on pushing information stealers – specifically RedLine Stealer," ZeroFox said.

"It is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet."

Newer versions of RedLine is also capable of stealing cryptocurrencies from the victim’s wallets, which is also something the researchers are warning. 

ZeroFox researchers are saying Kraken, with the help of RedLine Stealer, is able to wipe out the contents of Zcash, Armory, Bytecoin, Electrum, Ethereum, Exodus, Guarda, Atomic, and Jaxx Liberty cryptocurrency wallets. 

As things stand now, the operators of the malware rake up roughly $3,000 every month, by clearing out people’s wallets. 

"While in development, Kraken C2s seem to disappear often. ZeroFox has observed dwindling activity for a server on multiple occasions, only for another to appear a short time later using either a new port or a completely new IP," the researchers added.

“By using SmokeLoader to spread, Kraken quickly gains hundreds of new bots each time the operator changes the C2," the researchers confirmed.

Kraken is built on Golang, and uses SmokeLoader backdoor and malware downloader to spread.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.