EXECUTIVE SUMMARY
Researchers have unveiled detailed insights into Hannibal Stealer, a rebranded variant of the Sharp and TX stealers, showing its evolution and resurgence in the cybercrime ecosystem. Developed in C# for the .NET framework, Hannibal Stealer is engineered to extract sensitive information from Chromium- and Gecko-based browsers while bypassing Chrome's Cookie V20 protection. Beyond browser data theft, it aggressively targets cryptocurrency wallets such as Exodus, MetaMask, Monero, and FTP clients like FileZilla and Total Commander. Hannibal Stealer’s capabilities extend into VPN credential theft, Steam session hijacking, Telegram and Discord data extraction, and system profiling, including clipboard hijacking through a crypto clipper module. It was initially marketed on BreachForums with a structured subscription model, supported by posts across Turkish-speaking forums and Darkforums, suggesting a coordinated multi-platform promotion campaign.
The analysis of Hannibal Stealer reveals its sophisticated structure, combining geofencing, domain-matching, victim profiling, and targeted data exfiltration mechanisms. The malware employs the GetLolocationInfo function to geofence itself, avoiding execution in specific countries often linked to the operators. Its reconnaissance phase, via the GetDomainDetect function, is focused on harvesting high-value credentials by scanning browser directories for information tied to financial services, crypto platforms, and underground forums. Victim profiling is conducted by gathering exhaustive system details, geolocation, clipboard content, and network data, all staged into an "Information.txt" file. Cryptocurrency wallet theft is a primary objective, with dedicated code to locate and extract sensitive wallet files from desktop clients like BitcoinCore and DashCore. Hannibal Stealer also hijacks cryptocurrency transactions by monitoring and manipulating clipboard contents, increasing the likelihood of direct financial gain. It systematically targets FTP credentials, browser-stored sensitive data, and VPN configuration files, maintaining organized counters to track each successful data theft action. Data is compressed into zip archives and exfiltrated either via a Telegram bot or through custom PHP-based private servers, reflecting a flexible and robust communication strategy.
Further external threat landscape management efforts reveal Hannibal Stealer’s active presence in various Telegram communities, maintaining thousands of subscribers and offering additional services such as HANNIBAL INSTALL SERVICES to increase malware distribution. Analysis of promotion patterns and Telegram identifiers strongly suggests that Hannibal Stealer is not a new creation but a rebranded iteration of previous malware strains, namely SHARP and TX Stealer. This rebranding strategy appears aimed at circumventing bans and preserving revenue streams without introducing substantial innovation. Updates mainly center around shifting data exfiltration techniques, from Telegram to C2 servers, while core functionalities remain consistent. The Django-based HANNIBAL control panel provides operators with a streamlined interface to manage stolen data, control stealer settings, and deploy payloads, consolidating credential harvesting, cryptocurrency theft, and victim profiling into a centralized dashboard.
THREAT PROFILE:
| Tactics | Technique ID | Technique |
| Execution | T1047 | Windows Management Instrumentation |
| T1106 | Native API | |
| T1129 | Shared Modules | |
| Privilege Escalation | T1055 | Process Injection |
| T1543 | Create or Modify System Process | |
| T1547 | Boot or Logon Autostart Execution | |
| T1574 | Hijack Execution Flow | |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1003 | OS Credential Dumping |
| T1552 | Unsecured Credentials | |
| T1555 | Credentials from Password Stores | |
| Discovery | T1010 | Application Window Discovery |
| T1016 | System Network Configuration Discovery | |
| T1018 | Remote System Discovery | |
| T1033 | System Owner/User Discovery | |
| T1057 | Process Discovery | |
| T1082 | System Information Discovery | |
| T1083 | File and Directory Discovery | |
| T1087 | Account Discovery | |
| T1518 | Software Discovery | |
| T1614 | System Location Discovery | |
| Collection | T1005 | Data from Local System |
| T1113 | Screen Capture | |
| T1115 | Clipboard Data | |
| T1213 | Data from Information Repositories | |
| Command and Control | T1071 | Application Layer Protocol |
| T1102 | Web Service | |
| T1105 | Ingress Tool Transfer | |
| T1573 | Encrypted Channel | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1485 | Data Destruction |
| T1496 | Resource Hijacking |
REFERENCES:
The following reports contain further technical details: