Titan Stealer: A new malware emerges

The Titan Stealer is the newest type of malware - it appeared in 2022 and is only on the rise. Here we give the history of the malware and how to avoid it.

12-04-2023 - 8 minute read. Posted in: malware.

Titan Stealer: A new malware emerges

Titan Stealer: A new malware emerges

In late 2022, a new type of malware appeared on the cybersecurity radar. It has been named Titan Stealer and is one of the most effective stealer malware to have emerged, designed to extract data such as user credentials, financial details, and personal information from browsers, crypto wallets, and cloud storage.

Introduction to Titan Stealer

Titan Stealer is a new type of malware that emerged in late 2022, considered one of the most effective stealer malware to have emerged. It is a type of malware that steals information from infected Windows machines, making it a significant threat to individuals and organizations. To learn more about how malware operates and spreads, you can read our guide on what is malware.

Significance of the threat

The significance of the Titan Stealer threat lies in its ability to steal sensitive information from infected machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files. This stolen data can be used for various malicious purposes, such as unauthorized access to accounts, financial loss, and identity theft. To learn more about how attackers exploit vulnerabilities for identity theft and data breaches, check out our article on how identity theft works.

Malware based on Golang

Before we delve into the new malware, we need to get Golang out of the way. This is where the Titan Stealer appeared.

Golang, or Go, is an open-source programming language designed and developed by Google. It is a programming language and program that is supposed to be simpler and easier to use than existing coding programs.

The official name of the programming language is Go, but both names are used - Golang is implicitly linked to Go, and many know that it's Go when Golang is mentioned. Golang is basically a contraction of "Go" and "language". In addition, the original domain name of the Go website was "golang.org" - which also explains the use of both names.

The programming language was developed because the coding was becoming too complex at Google. Therefore, they wanted to find a simpler language that would make the programmers' job easier.

It was developed by Robert Griesemer, Rob Pike and Ken Thompson from Google, all three of which were unhappy with the programming language they were using - so it was appropriate to develop a new one.

Go was born in 2009, and was made an open system in 2012, when the first version, 1.0, was released. It was warmly received by users because of its simpler programming language

It is used by companies like Google, Netflix, Twitch, Dropbox and many others. One of the reasons it has become so popular is that the program can multitask, meaning you can have multiple tasks going on at the same time.

Go is used for, among other things:

  • Programming

  • Game development

  • Cloud-based programming

Titan Stealers resurrected

The new malware first came to light on the messenger app Telegram. Telegram is a secured, encrypted and open-sourced app. Founded by Russian entrepreneur Pavel Durov in 2013, it is used all over the world (at the time of writing, Telegram has 550 million monthly users). The reason why cybercriminals advertised Titan on Telegram is because Telegram is encrypted and secure, so there is no risk of sharing personal information - this is used by actors to publish various newfound and created hacking methods.

This discovery is part of a broader notorious telegram malware campaign, which has been linked to various cybercrime activities, highlighting the growing concern within the cybersecurity community about such threats.

The new malware was first discovered in November 2022 by a cybersecurity researcher.

What is Titan Stealer and its impact on credential data?

Titan Stealer is a malware that can steal various sensitive data from infected Windows machines. This concerns information such as:

  • Credit information from browsers

  • Crypto wallets

  • FTP (File Transfer Protocol) information

  • Screenshots

  • System information

The challenge with Titan is that it allows malicious actors to customize what they want to use Titan for. This includes what information they want to steal and what damage they want to do to a victim’s machine and software.

When they activate Titan, it triggers a technique called process hollowing. In short, this technique removes some of the benign coding in files and replaces it with malicious code that encrypts the files and compromises them.

As well as targeting files, Titan can also target web browsers. These are browsers such as:

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

  • Vivaldi

Some of the crypto wallets mentioned in connection with Titan attacks are:

  • Armory

  • Atomic

  • Bytecoin

  • Coinomi

  • Edge Wallet

  • Ethereum

In addition to the above features, Titan can also collect lists of installed apps on your devices - here it steals information associated with the Telegram desktop app.

If you’d like to learn more about malware techniques that hackers use to compromise systems, read our guide on what is phishing.

Malware Operation

How Titan Stealer functions

Titan Stealer is a Golang-based malware that employs process hollowing to inject its malicious payload into the memory of a legitimate process. This technique allows the malware to evade detection by security software and antivirus software. Once injected, the malware can steal various information from the infected machine, including:

  • Credential data from browsers and crypto wallets

  • FTP client details

  • Screenshots

  • System information

  • Grabbed files

The stolen data is then transmitted to a command and control server under the attacker’s control as a Base64-encoded archive file. The malware also comes with a web panel that enables adversaries to access the stolen data.

Where does the stolen information from end up?

Once the hackers have collected stolen information and they have control over files and documents, they send it to a “base” called Base64. This base is encrypted and secured. In addition, the actors access the data in a panel on their browsers, which further prevents victims from accessing the stolen data.

Malware targets specific browser directories on a system, actively identifying and attacking installed browsers by accessing user data and configuration files to steal sensitive information.

The exact way in which they spread the malware is still unclear. However, one can imagine that the hackers are using known methods such as phishing, MFA bombing, and unstable software. In addition, it is believed that the malware is spread by typosquatting.

Experts believe that hackers are using Titan because it can operate between systems and platforms, so they can reside on multiple operating systems (e.g. Windows, macOS and Linux).

In addition, it also makes it harder for security systems to find the corrupt files that are installed with Titan Stealer. This is because the malicious files are so small that the security software has a harder time detecting them.

The motivation behind

When hackers use Titan Stealer, they are looking to steal personal data. This information can often be sold on the dark web, used for ransomware or blackmailing the victim.

The most common reason for hacking is for a financial gain. There are incredible sums of money involved when it comes to stolen personal data, including a victim's data on cryptocurrency.

Once a hacker has access to a victim's accounts, they can further exploit the fact that they can impersonate another person. When the hacker commits identity theft, they can target more people and make more money.

That's why you should be a little more vigilant when you receive emails and phone calls - the likelihood that a hacker is on the other end is higher than you might think.

If you’re looking to understand more about the dark web, explore our guide.

Avoid Titan Stealer and protect FTP client details

One of the most important things you can do to avoid being hit by the Titan malware is to have good cybersecurity. By refreshing the cyber security in the company with awareness training, you train employees to spot phishing, but also in general to be more attentive online.

Avoid downloading files and programs that are unnecessary. Be aware that pirated software can serve as a conduit for malware propagation, allowing threat actors to target unsuspecting users who download or install compromised applications. You can also keep an eye on whether it comes from a legitimate source - and here you have to look twice to be sure.

This post has been updated on 22-01-2025 by Sarah Krarup.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts