A new Python-based infostealer called CharlieKirk Grabber has been identified targeting Windows systems, with a focused goal of stealing stored login credentials, browser cookies, and session data. <\/p>\n
The malware is built to work as a \u201csmash-and-grab\u201d threat \u2014 it launches quickly, collects whatever sensitive data it can find, and disappears before the user notices anything unusual.<\/p>\n
The malware arrives as a Windows executable, packaged through a tool called PyInstaller, which bundles all its Python code into a single self-contained file that runs without requiring Python to be installed on the target machine. <\/p>\n
It borrows its name and political imagery from Turning Point USA to exploit social engineering. The malware is typically delivered through phishing emails, cracked software packages, game cheat downloads, or social media-based lures.<\/p>\n
Cyfirma researchers identified the malware<\/a> and noted that it uses a builder-style structure, which makes it modular. <\/p>\n This means that whoever operates it can freely configure the command-and-control (C2) settings \u2014 such as a Discord webhook or a Telegram bot \u2014 and switch specific collection modules on or off before deploying the final executable.<\/p>\n Once active on a system, CharlieKirk Grabber profiles the host by collecting the username, hostname, hardware UUID, and the external IP address<\/a>. <\/p>\n It forcibly kills running browser processes using the Windows TASKKILL tool, unlocking access to saved password databases. <\/p>\n The stolen data \u2014 covering passwords, cookies, autofill entries, browsing history, and Wi-Fi credentials \u2014 is then bundled into a ZIP archive and uploaded to the GoFile file-hosting platform. <\/p>\n A download link is immediately sent to the attacker over HTTPS through either a Discord webhook<\/a> or a Telegram bot, keeping all communications encrypted.<\/p>\n What makes this stealer particularly difficult to detect is its heavy use of legitimate Windows tools that are already part of every installation. <\/p>\n Instead of deploying suspicious third-party files, the malware uses NETSH.EXE to retrieve saved Wi-Fi passwords, SYSTEMINFO.EXE to map hardware and OS details, and PowerShell to silently add itself to Microsoft Defender\u2019s exclusion list. <\/p>\n This method, known as \u201cliving off the land,\u201d lets malicious actions blend in with normal administrative behavior, helping it avoid signature-based detection.<\/p>\n Organizations should enforce Multi-Factor Authentication<\/a> across all critical services and restrict browser-based password storage through enterprise policy. <\/p>\n Security teams should monitor for unusual browser process<\/a> termination events, outbound HTTPS traffic to Discord, Telegram, or GoFile, and any PowerShell activity in user-writable directories. <\/p>\n Execution from temporary paths such as\u00a0 Indicators of Compromise (IOC):-<\/p>\n MITRE ATT&CK Mapping:-<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post CharlieKirk Grabber Stealer Attacking Windows Systems to Exfiltrate Login Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"CharlieKirk](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhjjhFQHry6JtF14KV3veAVsiVr28ZBPqlTomItcVoxTswrCyryPSHFqZ_3huvc9ZPD_dOR0-JAX773hottgF6Cb7_pPzcySHahm0G1f40Qtm4qmdt5hjhRHzzkUOgojJtfXtNg9LLo4wh4pJWteGEg8bYnVEimQVU0uaW7n86zHOjZK2p9oU99UT5ylPY\/s16000\/CharlieKirk%2520Grabber%2520Stealer%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
Living Off the Land: How CharlieKirk Stays Hidden<\/strong><\/h2>\n
![\"UAC](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjmgxWtkTjMTkHbC539zBCjHJMMu9QKqh8dLiDIgggp4ur4HDNbZ0rzag2IEGcgg9Y2OijCxwqZHSRp9AH1fJgMOzx1u8YnbTElOUv8SPhUdhkivTw-gTJx4vowKJt6hYqSRBK7qLDp4QWnGaBC76bI2guWnGG0OwZmWU0ha1AgJa8bwPaAVtJd1714JEk\/s16000\/UAC%2520elevation%2520attempt%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
![\"Discord](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjzm_T472qdmmEv4xLaH2Fjfm3YOLTrI1yX7uwJVvQCSdqO7AKjAPicRY9zYxsgm7ll2PslU6v_0Xb641FhDpOzMuCs70MM6SdzADfbUljCNXItabSLdR51QqnTPEUUX_EdWwpFF3KVjgrW0MEM9IzG4Au9H3Mn2B7uXMZwQNjwE6JvDiQn4_9i8YTBHIE\/s16000\/Discord%2520Token%2520Theft%2520and%2520Account%2520Validation%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
![\"Credential](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj8yCAd1oShyfp-DUt1CKsz_crt5gZJMwlQEeipuDhC91lH3rZBv3rghbH0tYzIQunWLJJyjyax6dtWWgwdhSnQAWvjq1uYH6uzUChEHBgMIkrt2PPm3403NYS_ystYiDeGyc02FZ4SVt6rq75feeCjSE7pKG917QyICHCf9rvcE-AJFRrtZFvV3tdnwrM\/s16000\/Credential%2520and%2520File%2520Extraction%2520Activity%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
%TEMP%<\/code>\u00a0and\u00a0%APPDATA%<\/code>\u00a0should be blocked using AppLocker or Windows Defender Application Control (WDAC).<\/p>\n\n\n
\n \nIndicator Type<\/th>\n Value<\/th>\n<\/tr>\n<\/thead>\n \n File Name<\/td>\n CharlieKirk.exe<\/td>\n<\/tr>\n \n File Size<\/td>\n 19.58 MB<\/td>\n<\/tr>\n \n File Type<\/td>\n Executable (PE32)<\/td>\n<\/tr>\n \n MD5<\/td>\n 598adf7491ff46f6b88d83841609b5cc<\/code><\/td>\n<\/tr>\n\n SHA-256<\/td>\n f56afcdfd07386ecc127aa237c1a045332e4cc5822a9bcc77994d8882f074dd1<\/code><\/td>\n<\/tr>\n\n First Seen in Wild<\/td>\n February 2026<\/td>\n<\/tr>\n \n C2 Channel<\/td>\n Discord Webhook \/ Telegram Bot API<\/td>\n<\/tr>\n \n Exfiltration Platform<\/td>\n gofile.io<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n \n\n
\n \nTactic<\/th>\n Technique ID<\/th>\n Technique<\/th>\n<\/tr>\n<\/thead>\n \n Discovery<\/td>\n T1082<\/td>\n System Information Discovery<\/td>\n<\/tr>\n \n Discovery<\/td>\n T1033<\/td>\n System Owner\/User Discovery<\/td>\n<\/tr>\n \n Credential Access<\/td>\n T1555.003<\/td>\n Credentials from Password Stores (Web Browsers)<\/td>\n<\/tr>\n \n Credential Access<\/td>\n T1552.001<\/td>\n Unsecured Credentials: Credentials in Files<\/td>\n<\/tr>\n \n Collection<\/td>\n T1560<\/td>\n Archive Collected Data<\/td>\n<\/tr>\n \n Defense Evasion<\/td>\n T1202<\/td>\n Indirect Command Execution (LOLBins)<\/td>\n<\/tr>\n \n Defense Evasion<\/td>\n T1562.001<\/td>\n Impair Defenses: Disable or Modify Security Tools<\/td>\n<\/tr>\n \n Persistence<\/td>\n T1053.005<\/td>\n Scheduled Task\/Job: Scheduled Task<\/td>\n<\/tr>\n \n Privilege Escalation (Conditional)<\/td>\n T1548.002<\/td>\n Abuse Elevation Control Mechanism (UAC)<\/td>\n<\/tr>\n \n Exfiltration<\/td>\n T1041<\/td>\n Exfiltration Over C2 Channel<\/td>\n<\/tr>\n \n Exfiltration<\/td>\n T1567.002<\/td>\n Exfiltration to Cloud Storage<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n