Analysis Summary

Waltuhium Grabber is a Python-based information stealer categorized as commodity malware, often used by low-skilled threat actors due to its easy availability and customizable codebase. It is not linked to a specific Advanced Persistent Threat (APT) group but is frequently used in opportunistic campaigns and cybercriminal activities. The malware originated from open-source repositories like GitHub, where its code is openly shared, modified, and reused by various actors across underground forums. Its core functionality includes stealing sensitive user data such as browser credentials, Discord tokens, system information, and session cookies, which are often exfiltrated to a remote server or delivered to a Telegram bot.

In the past, Waltuhium Grabber has been observed in widespread phishing and drive-by download campaigns targeting general internet users, with the aim of harvesting credentials for financial fraud, identity theft, and secondary infections. It is often disguised within cracked software, fake utilities, or malicious email attachments.

In its recent campaign observed in early 2025, Waltuhium Grabber was reportedly used in targeted phishing attacks amid heightened geopolitical tensions between India and Pakistan. Threat actors leveraged the malware in malicious documents and executables impersonating government communications, attempting to infect systems within public institutions and military-linked networks in Pakistan. Although not linked to a named APT, the use of such malware in a politically sensitive context suggests possible alignment with broader state-influenced objectives or hacktivist motives. The malware’s modular nature and low detection footprint make it a favored tool for rapidly executed, high-volume attacks during regional conflicts.

Impact

• Credential Theft
• Financial Loss
• Data Exfiltration

Indicators of Compromise

SHA1

• dc59f85ee3dea2f117ce5ba9dec896bc11a34875

• f79c078b750c6d9965d2d22247af9b4e462d8a34

• 9b41277051d401d44b6dc74ee033139118fec565

URL

• https://gitlab.com/-/project/69683861/uploads/cc51a81f5545b8c4d47f10de30706de0/pk.exe

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly update antivirus and anti-malware tools to detect and block known grabbers.
• Educate employees about phishing and social engineering tactics used to deliver malware.
• Enforce strong password policies and enable multi-factor authentication across all critical systems.
• Restrict user permissions to minimize the impact of credential theft.
• Monitor network traffic for unusual or unauthorized data exfiltration attempts.
• Use endpoint detection and response (EDR) tools to identify suspicious behavior.
• Disable macros and scripting features in office applications unless absolutely necessary.
• Segment the network to isolate critical assets and prevent lateral movement.
• Patch operating systems and software regularly to close known vulnerabilities.
• Implement secure email gateways to filter malicious attachments and links.
• Audit and rotate credentials regularly, especially for privileged accounts.
• Store sensitive information using encryption both at rest and in transit.
• Maintain up-to-date incident response plans for fast containment and recovery.