New Open-Source ‘Trap Stealer’ Pilfers Data in just 6 Seconds

Key takeaways

  • The blog provides deep insights into a newly identified stealer known as “Trap Stealer” – an open-source Python-based program.
  • The developer of this stealer claims that it is designed to extract a wide range of sensitive data from compromised systems in just 6 seconds.
  • The stealer attempts to entice potential victims through deceptive gift card generators, fraudulent webhook spamming, and fake webhook deletion, all designed to lure users into downloading this tool.
  • This stealer can extract sensitive information, including system details, user data from different web browsers, Discord tokens, files from the WhatsApp desktop application, and more.
  • It leverages Discord webhook to send the stolen files to Threat Actors (TAs).
  • The stealer has the ability to trigger a specific hard error, causing an intentional system crash.


As per our recent observations, stealers have continued to evolve with increasingly sophisticated features, and the proliferation of open-source code has played a pivotal role in the introduction of numerous stealers. In our recent blog, we highlighted the capabilities of ‘Exela Stealer,’ an open-source tool proficient at extracting diverse data from compromised systems. TAs are effectively leveraging these open-source stealers to meet their specific requirements.

On October 25th, Cyble Research and Intelligence Labs (CRIL) came across a new open-source stealer named “Trap Stealer” through VirusTotal. Moreover, we have determined that the developer of this stealer has openly shared the complete source code on GitHub. The image below displays the GitHub page of the Trap Stealer developer, where the developer explicitly states that this stealer can capture victims’ data within a mere 6 seconds.

Figure 1- GitHub Page of the Trap Stealer Developer

Trap Stealer, a Python-based tool built through an open-source builder, encompasses various functionalities, ranging from bypassing security measures to pilfering user data and transmitting it to TAs. This stealer is designed for covertly extracting a wide range of sensitive information from the compromised system, encompassing cookies, browsing histories from all web browsers, Tokens from Discord applications, clipboard contents, crypto wallet data, WhatsApp files, and more.

Notably, the developer is continually enhancing the stealer’s code by introducing new features and capabilities. The below image displays the features included in Trap Stealer.

Figure 2 – Features included in Trap Stealer

The collected data is formatted and sent to the TA’s Discord webhook at specific time intervals. The image below demonstrates the view of collected information shared over Discord.

Figure 3 – Exfiltrated  Information Displayed in Discord

Furthermore, the stealer includes an optional crasher module, which attempts to initiate a system crash once the exfiltration is completed.

Building the Trap Stealer

The process of building this stealer is triggered when the Python script file “” is executed within the Trap Stealer setup folder. The image provided below displays the contents of the Trap Stealer setup folder.

Figure 4 – Files present in the Trap Stealer setup folder

The initial action taken by the builder is to create a directory named “Build” in the current working directory, copy a file named “” to the “Build” directory, and rename the copied file to “”. The primary code for the stealer resides within the “” file.

Next, the builder requests users to provide a Discord webhook URL. Subsequently, the builder examines the HTTP response status code for the supplied webhook URL. If the status code is 200 (Success) and the entered webhook URL includes either ‘’ or ‘,’ it proceeds with the building of the stealer. If the above criteria are not met, it displays an ‘Invalid Webhook’ message and continues to prompt users for a valid webhook URL until one is provided. The image below shows the builder prompting for a valid or functional webhook URL from the user.

Figure 5 – Builder Prompting for a Valid Webhook URL

This webhook will serve as a remote server for TAs to receive all the stolen data gathered by Trap Stealer from the compromised system.

Once the builder identifies a valid webhook URL, it then proceeds to the other options for constructing the stealer.

The image below shows all the preferences provided by the builder.

Figure 6 – Trap Stealer’s Builder console

Fake Webhook

The builder allows TAs to hide malicious content behind tools like Discord webhook spammer or tools intended to delete Discord webhook for a particular user. With this builder, TAs can host the Stealer executable on third-party websites without the need for additional tools to mask it. The figure below illustrates the compiled Stealer binary, which appears to function as a webhook spam tool by receiving user input. However, in the background, it secretly collects sensitive information from the victim’s computer.

Figure 7 – Trap Stealer Webhook Spamming Activity

If the user selects the delete option, the stealer requests the user to provide the targeted webhook URL for removal, as shown in the figure below.

Figure 8 – Trap Stealer deleting the Targeted Webhook

Fake Generator

This tool includes another deceptive module that enables TAs to camouflage their malicious code behind gift card code generators. This module simulates generating fake Discord gift card codes. The image below displays the fake generator module output.

Figure 9 – Stealer generates fake Discord gift codes


This module is designed to modify Discord’s core file, particularly the “index.js” file, with the aim of enabling unauthorized monitoring of a user’s actions and the stealthy retrieval of sensitive information from the compromised Discord account.


The objective of this module is to create a copy of the Trap Stealer with a random filename in a user-specific directory. Additionally, it creates a startup entry in the Windows Registry, ensuring that the stealer runs when the system starts up.


This module aims to identify the existence of debuggers or any analysis tools running on the system and also assess whether the system is a physical or virtual machine.


This module enforces a limitation on the frequency of the stealer’s actions, including sensitive file retrieval and data extraction, ensuring that they cannot occur more frequently than every 30 minutes. This approach is designed to reduce the risk of detection or disruption by security systems and monitoring tools.


This module is designed to remove the Trap Stealer executable from the system after it has completed its data theft operation.


This code is designed to modify system privileges and trigger a specific hard error intentionally, leading to a deliberate system crash.

Technical Analysis

Security Evasion Mechanisms

Upon executing the Trap Stealer, the initial action involves verifying whether the stealer is being monitored through a series of anti-debug checks. The table below outlines the various checks employed by the Trap Stealer, and if any of the below-mentioned checks are identified, the stealer will self-terminate.

ChecksMatching criteria
check_windowscheck for the presence of various debugging and analysis tools or applications by enumerating open windows
check_ipchecks the system’s external IP address matching to a list of blacklisted IP addresses
check_registrychecks for the presence of a specific registry key related to VMware
check_dlldetects the existence of DLLs associated with virtualization software, such as VMware or VirtualBox

Data Gathering Functionality

Following a series of checks to confirm the system environment, the stealer gathers a diverse range of information, including details about the system information, global information, and clipboard data. The image below shows the function responsible for acquiring these data from the victim’s system.

Figure 10 – Data gathering function code

The table below shows the various information captured from the above function.

system informationglobal informationClipboard
Operating SystemUsernameAll clipboard data
Node NameIP Address 
ProcessorPostal Code  
Home DirectoryProduct Name         
 Windows Key           
 Computer Name     
 Number of CPU Cores            
 GPU Information 
 Installed Antivirus 

Subsequently, the Stealer sends the gathered information to the TA’s webhook URL specified during the building of the stealer executable. The image below displays the transmitted data in the Discord channel.

Figure 11 – Compromised System information


To establish persistence, the stealer creates a copy of itself in a randomly selected directory path, such as “APPDATA” and “LOCALAPPDATA.” This copied file is given a random filename consisting of 8 lowercase letters, followed by a randomly chosen file extension. These extensions encompass a variety of types, including .dll, .png, .jpg, .ink, .url, .jar, .tmp, .db, .cfg, and .jpeg.

After copying the file to one of the previously mentioned locations, the stealer adds a Run entry to the Windows Registry, allowing the stealer file to run automatically when the user logs in. The image below shows the newly created Run entry within the Windows Registry.

Figure 12 – Run entry added in Windows registry

Passwords, Cookies, and Autofills

After establishing persistence in the system, the Trap Stealer collects stored passwords, cookies, and autofill items from the victim’s web browser’s profile folder and writes the extracted data to a separate file in “AppData\Local\Temp”.

The filenames for these files typically start with “wp,” such as “wpautofill.txt,” “wpcook.txt,” and “wppassw.txt.” Subsequently, the stealer sends this captured data along with the “.txt” files to the configured webhook URL. The image below shows the captured data being sent to a Discord channel, allowing the TAs to access the stolen information.

Figure 13 – Sensitive Browser Data Shared in Discord

Stealing Discord tokens from Browser paths

Next, the stealer proceeds to extract and send the user’s Discord Token. To accomplish this, it scans for files ending in “.ldb” or “.log” within the browser directories listed in the table below:

\AppData\Roaming\Opera Software\Opera GX Stable\Local Storage\leveldb
\AppData\Roaming\Opera Software\Opera Stable\Local Storage\leveldb
\AppData\Roaming\Opera Software\Opera Neon\User Data\Default\Local Storage\leveldb
\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
\AppData\Local\Google\Chrome SxS\User Data\Default\Local Storage\leveldb
\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
\AppData\Local\Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb
\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb

It then uses two regular expressions (regex) to search for potential Discord tokens from the identified “.ldb” or “.log” files.

  • The first regex (r”[\w-]{24}\.[\w-]{6}\.[\w-]{25,110}”) is designed to identify Discord user tokens.
  • The second regex (r”mfa\.[\w-]{80,95}”) matches strings corresponding to Discord multi-factor authentication (MFA) tokens.

The stolen tokens allow the stealer to access more details about the Discord user.

Stealing tokens from the Discord application folder

In addition to extracting Discord tokens from the web browsers, the stealer also retrieves tokens from the Discord desktop application folder. Initially, the stealer verifies the presence of a file named “Local State” within the directories mentioned below.

  • \AppData\Roaming\discord
  • \AppData\Roaming\Lightcord
  • \AppData\Roaming\Discordptb
  • \ AppData\Roaming\Discordcanary

If the “Local State” file is not found, it skips this module and moves on to other stealing modules. When the “Local State” file is found, it reads and extracts the master_key. This master_key will be used for further decryption.

Subsequently, the script attempts to locate files with file extensions “.log” or “.ldb” in the predefined locations mentioned below:

  • \AppData\Roaming\Discord\Local Storage\leveldb
  • \AppData\Roaming\Lightcord\Local Storage\leveldb
  • \AppData\Roaming\Discordptb\Local Storage\leveldb
  • \AppData\Roaming\Discordcanary\Local Storage\leveldb

Upon identification, the stealer proceeds to search within these files for a specific regex pattern. This regex pattern is designed to locate strings that contain “dQw4w9WgXcQ:”, resembling a Discord token. If a matching string is located, the stealer proceeds to decode it using the master_key obtained from the “Local State” file.

Once valid Discord tokens are successfully retrieved both from browsers and the Discord application, the stealer sends a GET request to the Discord API with the stolen token to retrieve additional user information. The below image shows the partial function code for retrieving user information using the stolen Discord token.

Figure 14 – Function to retrieve user information from Discord

Subsequently, the stealer creates a JSON payload (data) that encompasses user information such as username, bio, profile picture URL, badges, and additional data. This payload is then sent through the webhook URL, facilitating the attacker’s ability to access and examine user data.

Discord Injection

An alternative method to precisely harvest user data from Discord involves replacing the core component of the Discord application. To replace the core component of the Discord desktop application, the stealer scans the “appdata\local\discord” directory for specific conditions:

  • The presence of a file named “index.js”
  • A folder name containing a “discord_desktop_core-“.

If both criteria are met, the stealer replaces the “index.js” file with custom code downloaded from the developer’s GitHub page. The image below displays a portion of the altered “index.js” file.

Figure 15 – Modified Discord’s ‘index.js’ File

After replacing Discord’s core component, TAs gain access to a range of sensitive information from compromised user accounts. This information encompasses details such as passwords, email addresses, phone numbers, Nitro subscriptions, billing information, badges, hostnames, tokens, credit card numbers, credit card CVC, credit card expiration dates, and additional data. The acquired information is then sent to the attacker’s webhook URL.

Trap Stealer is designed to focus on various applications in order to gather sensitive data from the system. This process involves the creation of a directory path with predefined values and a subsequent check to verify its existence on the compromised system. If the directory path is not found, the module is skipped; however, if it exists, the stealer proceeds with the following operations.

  • Get the associated process name from the constructed directory path and terminate it.
  • Copies all the files, excluding any existing ZIP files from the identified directory.
  • The stealer then compresses these copied files into a ZIP archive.
  • This ZIP file is sent to the specified webhook URL.
  • Finally, the ZIP file is deleted from the original directory.

The table below provides information on the directory path, process name, and zip file name used to collect and transmit files to TAs.

Directory pathsprocess nameZip file name
\AppData\Local\Riot Games\Riot Client\
\AppData\Roaming\NationsGlory\Local Storage\
C:\Program Files (x86)\Steam\
\AppData\Roaming\atomic\Local Storage\leveldbAtomic
\AppData\Roaming\Telegram Desktop\
\AppData\Roaming\Opera Software\Opera Stable\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnopera.exeMetamask_Opera
\AppData\Local\Google\Chrome\User Data\Default\Local Extension
\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Extension Settings\
\AppData\Local\Yandex\YandexBrowser\User Data\HougaBouga\
\AppData\Local\Microsoft\Edge\User Data \Default\Local Extension Settings\

Stealing sensitive files from the compromised system

Once the stealer completes the transmission of application-related files to the attacker, it proceeds to steal files from the system based on keywords. 

The stealer searches for directories such as “Desktop,” “Downloads,” and “Documents” to locate text files containing predefined keywords (as listed below) in their filenames. When these files are identified, they are uploaded to a Discord channel via a webhook.

walletStorage passwordaccountblank accountproduction password
financy passwordseruced passwordaddresssecretbitcoin
giveemailadministrationapimanager administration
Administrating a FileCompleteapimanagerPassport
Social security    

Stealing Browser History

The stealer collects browsing history data from different web browsers (listed below), constructs it into a “” file, stores this file in the user’s temporary directory (%temp%), uploads it to Discord, and shares a formatted message containing a link to access this uploaded data.

Opera GXFirefox
Internet ExplorerSafari Technology Preview

The image below showcases the transferred ZIP file as it appears in TA’s Discord channel.

Figure 16 – Transmitted ZIP File in a Discord Channel

Stealing WhatsApp files

The act of stealing WhatsApp files from compromised systems isn’t a novel occurrence. However, it has recently become increasingly prevalent.

WhatsApp Desktop saves cached files and logs at the directory path `\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm`. This location allows users to access various data, including images and profile pictures, through the WhatsApp desktop application, even when the phone isn’t connected.

To obtain WhatsApp-related files, the stealer performs a recursive scan within a designated directory mentioned above. It seeks non-empty files, compiles them into a ZIP archive, and stores this ZIP file in the %temp% directory. Additionally, it provides a list of the collected files, up to a maximum of 10, which is sent to a webhook. If the number of files exceeds 100, the stealer indicates that there are too many to display.


Trap Stealer possesses the capability to perform a self-deletion process upon successfully exfiltrating the victim’s data, ensuring that no residual traces are left behind.


If the system crasher module is enabled during the building of the stealer, the stealer uses the Windows ntdll library function “NtRaiseHardError” to trigger a hard error. In this scenario, the error code 0xC0000006 corresponds to an invalid instruction error, and it is raised with a severity level of 6, often leading to a system crash.


As the landscape of digital theft evolves with new techniques and patterns, we are witnessing the unceasing innovation of stealers. They adapt and expand in parallel with the continuous creation of new applications and tools. A prominent exemplar of this evolution is the “Trap Stealer,” a Python-based tool showcasing an array of sophisticated features, particularly adept at extracting private information from platforms like Discord, WhatsApp, and other applications.

Considering that this stealer appears to be in the development phase, it’s highly likely that a forthcoming version will emerge, equipped with additional features designed to enhance stealth and target a wider range of applications. This highlights the dynamic and ever-evolving nature of cybersecurity threats, emphasizing the ongoing need for proactive measures to safeguard against them.


  • It’s strongly recommended to avoid acquiring software from online sources that lack credibility or proper verification.
  • Be cautious of potential traps set by TAs offering enticing tools like fake generators and spamming tools, as these can often lead to data theft.
  • To enhance security, it’s advisable to disable the automatic saving and storage of passwords by web browsers and opt for password managers.
  • Monitor the network communication, especially Discord API channels, to effectively block data exfiltration by this stealer.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.

MITRE ATT&CK® Techniques

Tactic TechniqueProcedure
Execution  (TA0002)User Execution (T1204)Manual execution required
Persistence (TA0003)Registry Run Keys /
Startup Folder (T1547.001)
The stealer adds run entry/Startup for persistence
Defense Evasion (TA0005)Virtualization/Sandbox Evasion (T1497)Performing Anti-VM/Anti-Debug technique
for evasion
Defense Evasion (TA0005)Deobfuscate/Decode Files or Information (T1112)Builder obfuscates the compiled stealer file
Defense Evasion (TA0005)File Deletion (T1107)Self-deletes itself after stealing activity completed
Credential Access (TA0006)OS Credential Dumping (T1003)Tries to harvest and steal browser information
Credential Access (TA0006)Steal Application Access Token (T1528)Steal Application Access Token
Credential Access (TA0006)Credentials from Web Browsers (T1555)Steals credentials from Web Browsers
Discovery (TA0007)System Information Discovery (T1082)The malware gathers system information through various methods
Collection (TA0009)Clipboard Data (T1115)Captures Clipboard data
Collection (TA0009)Data from the Local System
The malware collects sensitive data from
victim’s system.
Exfiltration(TA0010)Exfiltration Over Web Service (T1567)Uses discord webhook to exfiltrate data

Indicators Of Compromise

Indicators Indicator
ba070e0328f5e093f35210904d53d4aa54339fdc1a11a1c3f68adee3ca0ff125   d589723c86d2ddefe3119c506e83814739cfa54f  
Trap Stealer
31a274dfdbe93b117a5f62574bae009ad9bf6f4a66d5845b75e479547a608c6c   bcfbc009367231fd99ef0362a1e572aede015074  
Trap Stealer
883e4d2893f3131e9b97e45e1b10acb8be70f3d2751cf3e9e75d24aced473a58   ffe2bd374a8bb3f22a77798c3cb5d905e7aa6bf2  
Trap Stealer
3501ea51bad76648ee577cfbb0cac51d3672a292775396ee6c50605cd2937afe   4e20ed2ab2a713ede6e184476838a145dc28621c  
Trap Stealer

Scroll to Top