Gotham Stealer Technical Analysis

This blog post comes from the “Gotham Stealer Technical Analysis” by the Brandefense Research Team. For more details about the analysis, download the report.


Gotham Stealer, a newly identified malware threat emerging in September 2023, showcases diverse capabilities, targeting browser information, crypto wallets, and gaming accounts like Discord, Steam, and Roblox. Notably, it infiltrates systems through game crack sites and gaming-themed platforms. Gotham Stealer’s unique features, including its use of Node.js and a substantial self-contained executable size, challenge conventional perspectives on desktop malware. This introduction sets the scene for a detailed examination of Gotham Stealer’s functionalities and its implications for cybersecurity.


In the ”Scope” section, hashes of the analyzed ”Gotham Stealer” sample are provided.


Executive Summary

Gotham Stealer, also called “Revamped and strengthened Pirate”, has been circulating in Telegram channels since September 2023, with its development initiated in March of the same year. Despite initial impressions suggesting it may be a copy of Pirate Stealer, our in-depth analysis by the threat intelligence and malware analysis teams reveals a unique element: its incorporation of a Discord stealer component. This distinctive feature sets Gotham Stealer apart from potential misconceptions of being a mere duplicate.

Operated by Turkish threat actors who ceased their activities on December 8, 2023, there remains a lingering concern of a potential resurgence or an upgraded version in the future. The malware displays versatile capabilities, encompassing the theft of browser information, crypto wallets, as well as Discord, Steam, and Roblox accounts. Its focus on gaming accounts leads to the dissemination of Gotham Stealer through game crack sites and websites centered around gaming themes. Notably, Gotham Stealer stands out due to its unconventional form as a Node.js self-contained executable, boasting a substantial size of 80MB—significantly larger than typical malware sizes. This characteristic fuels claims of evading malware sandboxes, challenging conventional assumptions regarding desktop malware, where JavaScript-based threats are less prevalent.

This report underscores the uniqueness of Gotham Stealer, debunking misconceptions of its origin and highlighting its potential for future threats. The
unconventional use of Node.js and its distinctive size contribute to its evasive capabilities, warranting heightened attention in cybersecurity efforts.

Download YARA Rules and IoCs from GitHub.

This blog post comes from the “APT34’s New Backdoor: SideTwist Variant Technical Analysis” by the Brandefense Research Team. For more details about the analysis, download the report.

Share This: