Rude Stealer, Stealer, Java

New Java-Based Rude Stealer abuses DirectX Diagnostic Tool

Key takeaways

  • Cyble Research and Intelligence Labs (CRIL) recently came across a new stealer named “Rude”. This Java-based malware is specifically crafted to pilfer confidential data from compromised machines discreetly.
  • Rude Stealer specializes in extracting data from various browsers, capturing Discord tokens, Steam IDs, and information about installed games, along with the ability to take screenshots.
  • Additionally, it leverages the DirectX Diagnostic Tool (DxDiag) to extract system details, including the hostname, operating system version, BIOS information, and more.
  • The Threat Actors (TAs) behind Rude Stealer employ Telegram channels for the exfiltration of this stolen data.
  • The identity of the Threat Actor behind Rude Stealer remains unknown. However, the deliberate choice of converting the system time to the Turkish region’s time zone raises the possibility that the Threat Actors may be based in that region.


Java Archive (JAR) is a file format derived from the ZIP format, providing cross-platform compatibility across Windows, macOS X, Linux, Android OS, and more as long as Java is installed.

JAR files are not as commonly favored among TAs due to them requiring an installed Java Runtime Environment (JRE) for execution. However, Threat Actors still leverage Java due to its ability to deploy malware that runs seamlessly on diverse operating systems. Furthermore, malicious JAR files may be less likely to be detected compared to executable files by the security software.

In our latest blog post, we unveiled the discovery of a new Remote Access Trojan (RAT) named “Sayler,” encapsulated within a JAR file. This malicious entity incorporates a range of harmful functionalities, encompassing a Keylogger, Information Stealer, Screen Capture tool, Ransomware, and supplementary features.

On November 6th, CRIL identified a malicious Java Archive (JAR) file named “Stealer.jar” on VirusTotal. Upon further analysis, we were able to determine that the identified JAR file functions as a new information stealer named “Rude” designed to target the Windows Operating System.

Rude Stealer, System Information
Figure 1 – Rude Stealer capturing system information

The primary objective of Rude Stealer is to collect sensitive information, such as passwords, cookies, history, and auto-fills, from various browsers. Furthermore, it targets tokens and IDs from installed applications such as Discord and Steam. Additionally, it is equipped with the capability to capture screenshots. An initial look at the decompiled code of this stealer is shown below.

Rude Stealer, Decompiled code
Figure 2 – Rude Stealer’s decompiled code

Following the successful completion of the data theft process, Rude Stealer proceeds to transmit the pilfered data to the TAs through a designated Telegram channel.

Initial Infection:

While Rude Stealer’s initial infection vector is unknown, we were able to determine that it functions in a manner requiring the involvement of the TAs to commence data theft activities. To activate the stealer, the TAs need to execute it using command line arguments, specifying their Telegram channel chat ID and Bot Token. This action enables them to collect information from the compromised system.

Technical Analysis

The start function of the Rude Stealer is located in the class file “com.Rude.stealer.main.Start”, which contains a main method. This method takes an array of string arguments. The values of args[1] and args[0] (command line arguments) are assigned to the static fields chat_id and bot_token in the SendFile class.

These arguments will later contribute to the establishment of a communication channel for TAs via Telegram. The image below shows the content of Start.class file.

Figure 3 – Contents of Start.class file

Upon receiving input arguments, Rude Stealer proceeds to initialize instances for various other class files. Each class file is responsible for executing operations related to extracting sensitive information from the system, installed applications, and browsers. The respective class file “NodeManager” is shown below. 

Rude Stealer
Figure 4 – Partial content of Nodemanager class file

Upon the successful initialization of each method, representing distinct stealing operations, the stealer commences its various pilfering activities within the compromised system.

Stealing Steam user data

To steal a victim’s Steam user data, Rude Stealer scans the victim’s system for the Steam application directory, located at “Program Files (x86)\Steam\config” by default. If the Steam directory is identified, the stealer proceeds to copy all the files into a newly created folder – “C:\Users\[username]\Steam”.

Following that, the stealer generates a log file named “Log_Info.txt” in the same directory “C:\Users\[username]\Steam” to log information related to any associated Steam accounts on the victim’s sys.

Next, Rude Stealer traverses the directory containing the copied Steam files, inspecting each file for a name matching ‘loginusers’. Upon identifying this file, the stealer reads its content and searches for SteamID (typically presented as a 17-character string, for instance, 12345678900000000). If the search pattern identifies the victim’s SteamID, the stealer generates a URL using the SteamID, as shown below, and saves it in the log file:


The stealer also removes files with names that include either “coplay_” or “DialogConfigOverlay” from the copied files directory. This file deletion may indicate that the TAs are not focused on exfiltrating avatars (profile picture) and configuration files from compromised systems.

The image below shows the code to steal Steam user data.

Figure 5 – Code snippet to steal Steam user data

Upon acquisition of user account details associated with Steam, Rude Stealer proceeds to target installed games in the compromised system. To gather information about these games, the stealer retrieves a directory path, namely “C:\Program Files (x86)\Steam\Steamapps\“—the default location for Steam to store game manifest files on a Windows Operating System.

Subsequently, the stealer searches for files within the identified directory containing the substring “appmanifest_”. It then processes the contents of these files, extracts the names of the installed games, and saves this information in the same log file created earlier – “C:\Users\[username]\Steam\ Log_Info.txt”.

The code snippet in the image below shows the part of the Steam class responsible for extracting information about installed games.

Figure 6 – Code snippet that steals information about installed games

Stealing Discord tokens

An additional threat that Rude Stealer poses is its ability to extract Discord tokens from the victim’s system by searching for Discord-related directories, such as:

  • C:\Users\[username]\Appdata\Roaming\discord\Local Storage\leveldb\
  • C:\Users\[username]\Appdata\Roaming\discordcanary\Local Storage\leveldb\

If any of these directories are identified, the stealer copies all the files to a newly created directory at “C:\Users\[username]\Discord”.

Subsequently, Rude Stealer filters through the files in these directories, employing a regex pattern “dQw4w9WgXcQ:” to identify Discord tokens. Once located, it writes these tokens to a newly created text file at “C:\Users\[username]\Discord\Auth_Keys.txt”. The associated class file for this Discord token theft operation is displayed below.

Discord, Rude Stealer
Figure 7 – Class file to steal Discord Tokens

Capturing Running Process Information

After successfully pilfering Discord tokens and Steam IDs, Rude Stealer proceeds to retrieve a list of active processes running on targeted systems. It extracts information such as process name and its corresponding Process ID (PID). Subsequently, this extracted information is logged into a text file named “Process.txt” within the user profile directory “C:\Users\[username]”. The image below displays the class file responsible for extracting information regarding running processes.

Running processes, Rude Stealer
Figure 8 – Class file to steal running process details in the system

Stealing System information

In addition to stealing the aforementioned Steam, Discord, and process information, Rude Stealer can also retrieve system specifications from a victim’s machine. This is achieved by executing the DirectX Diagnostic Tool (dxdiag), a Windows utility for diagnosing and troubleshooting DirectX, graphics, and sound-related issues. The image below displays dxdiag’s output.

DirectX, DxDiag,
Figure 9 – Output of the DirectX Diagnostic Tool

This collected diagnostic information is then saved to a text file named “Properties.txt” in the “C:\Users\[username]” directory. The image below displays the content of the Properties class file, which is responsible for retrieving system information.

Class file, Rude Stealer
Figure 10 – Content of the Properties class file

Capturing Screenshots

Further supplementing these already formidable information-stealing capabilities, Rude Stealer can also capture screenshots from a victim system by utilizing the Java Robot class, an inbuilt class in the Java AWT (Abstract Window Toolkit) package, to capture the current screen. Captured screenshots are saved as PNG files named “Screenshot.png” in the user profile directory “C:\Users\[username]”. The image below shows the content of the class file responsible for taking screenshots.

Figure 11 – Contents of the Screenshot class file

Stealing data from multiple browsers

Rude Stealer is also designed to collect sensitive information from various web browsers, as outlined in the table below:

Browser nameAutoFillCookiesCredit CardsHistoryPasswords
Brave Yes Yes  Yes  Yes  Yes
Edge  Yes  Yes  Yes  Yes  Yes
Chrome  Yes  Yes  Yes  Yes  Yes
Firefox   Yes   
Opera  Yes  Yes  Yes  Yes  Yes
OperaGX  Yes  Yes   Yes  Yes
Vivaldi  Yes  Yes   Yes  Yes
Yandex  Yes  Yes   Yes  Yes

This decrypted data from various web browser databases is stored in log files, with the extracted content and corresponding log file paths outlined in the table below:

FunctionsInformation extractedPath of log files
Autofill()Site name and autofill valuesC:\Users\[username]\General\AutoFills.txt
Creditcard()Credit card number, expiration month, and expiration yearC:\Users\[username]\General\CreditCards.txt
Cookies()Path, domain, security attribute, HTTP-only attribute, expiration, decrypted cookie valueC:\Users\[username]\General \Cookies\[Browser-name].txt
History()URL of the visited site and Title of the siteC:\Users\[username]\General\History.txt  
Passwords()URL, Login or username, and passwordC:\Users\[username]\General\Passwords[Browser-name].txt

Stealing System information

Rude Stealer also steals a variety of system-related details, which are listed below, and stores them in a respective text file located at “C:\Users\[username]\”.

  • System Time
  • IP Address
  • Country
  • Drives
  • Current Username
  • Computer Name
  • Language
  • CPU Architecture
  • Number of CPU Kernels
  • GPU Name
  • RAM (Random Access Memory)
  • Screen Resolution
  • Working Path

Data Compression, Transmission and Termination

Once it successfully gathers all required information from the victim’s system, Rude Stealer creates a ZIP archive labeled with the computer name. This archive is located at “C:\Users\[username]\”. This archive includes all the TXT files containing stolen information, as well as subdirectories (such as Discord and Steam) found within the user profile directory created by the stealer.

Following the creation of the ZIP file, the stealer proceeds to transmit this data to the TA’s Telegram chat ID utilizing the Telegram bot API. The image below shows the content of the sendFile.class responsible for exfiltrating this stolen data.

Exfiltration, infostealer
Figure 12 – Code for exfiltrating stolen data

As a final step, Rude Stealer engages in a cleanup procedure, deleting specific files and directories generated during its operation. This cleanup includes removing both the folder and any ZIP files associated with the computer’s name, after which the program terminates.


Upon analysis of the discovered evidence, we can assume that Rude Stealer is likely operated by a TA associated with or operating from Turkey. This assessment is supported by the stealer’s action of retrieving the compromised system’s time and then converting it to Turkey’s time zone. The accompanying image shows the function responsible for this time conversion process.

Turkey, Rude Stealer
Figure 13 – Function to convert victim’s system time to Turkey time zone


Being a relatively straightforward stealer developed using Java, Rude Stealer may not have gained a lot of traction and relevance in the infosec community, unlike some other stealers in the wild that we have observed and analyzed.

However, as per our findings in this analysis, we believe Rude Stealer still poses a noteworthy threat to both individual users and organizations. Its use of Dxdiag to obtain sensitive information adds yet another layer of significance to its capabilities.

Rude Stealer’s adeptness in targeting various categories of highly sensitive information from diverse applications and browsers raises concerns in the current cybersecurity threat landscape. This compromised information, once in the hands of attackers, creates potential risks for financial exploitation and can be leveraged to launch additional attacks on individuals or organizations.


  • To enhance security, we advise that users disable the automatic saving and storage of passwords by web browsers and opt for password managers instead.
  • Establish stringent access controls or policies to regulate the execution of system tools such as dxdiag.
  • Enforce strict rules to block the creation of text files within the user profile folder, particularly in sensitive paths like “C:\Users\[username]”.
  • Use reputed anti-virus and internet security software packages on your connected devices, including PC, laptop, and mobile.

MITRE ATT&CK® Techniques

Tactic TechniqueProcedure
Execution  (TA0002)User Execution (T1204)Manual execution required
Credential Access (TA0006)OS Credential Dumping (T1003)Tries to harvest and steal browser information
Credential Access  (TA0006)Steal Application Access Token (T1528)Steal Application Access Token
Credential Access  (TA0006)Credentials from Web Browsers (T1555)Steals credentials from Web Browsers
Discovery  (TA0007)System Information Discovery (T1082)The stealer gathers system information through various methods
Collection (TA0009)Screen capture (T1113)Takes a screenshot of the victim’s screen
Collection (TA0009)Data from the Local System
The malware collects sensitive data from
victim’s system.
Exfiltration(TA0010)Exfiltration Over Web Service (T1567)Uses Telegram channel to exfiltrate data

Indicators Of Compromise

Indicators Indicator
05b932d3306fb06ee961fd533d2faab92ed01f7f0ee2b7bea5a6a1f521154a94   7fd1fea4f939b5350a5699a69866e7714767a68f   92aa4673f7885c6f6b4ea39cb2f1b643SHA256   SHA1   MD5  Rude Stealer

YARA Rules

rule Rude_Stealer



author = “Cyble”

description = “Detects Rude Stealer”

date = “2023-11-20”

os = “Windows”

threat_name = “Rude Stealer”

scan_type = “file”

severity = 90

reference_sample = “05b932d3306fb06ee961fd533d2faab92ed01f7f0ee2b7bea5a6a1f521154a94”


$a = “com/Rude/stealer/” ascii wide

$b = “/decrypt/password/Password.class” ascii wide

$c = “/nodes/impl/Screenshot.class” ascii wide


uint16(0) == 0x504B and all of them


Scroll to Top