A new info-stealer, named Lightning Stealer, has been spotted in the wild. This type of malware poses a serious threat as cybercriminals can use it to get initial access to corporate networks.

What are its characteristics?

  • According to Cyble Research Labs, Lightning Stealer is a .NET-based info-stealer that is capable of targeting over 30 Firefox and Chromium-based browsers. 
  • The data stolen from these browsers include passwords, cookies, and users’ history.
  • It can also steal Discord tokens, as well as data from crypto wallets, Telegram, and Steam.
  • The malware also exfiltrates the .txt and .doc files present in the ‘Desktop’ folder on the victim’s system.
  • Unlike other info-stealers, Lightning Stealer stores all the stolen data in JSON format.

Other specifications

  • The sensitive user data stored in Chrome-based browsers are present in an encrypted form. The malware estimates and gets the names of all files present in the ‘Browser-name\User Data\” folder. Later, it checks for the ‘Local State’ file that stores the encrypted keys for Chrome to decrypt the login data.
  • Furthermore, Lightning Stealer only harvests data from crypto wallets associated with GetZcash.
  • The malware then converts the wallet file’s content into Base 64 and saves them into a list.


Researchers indicate that Lightning Stealer is an emerging info-stealer that is likely to evolve in the future. As information stolen by such malware is sensitive, organizations should follow good security practices to thwart such attacks.

Cyware Publisher