EditBot, a recently identified Python-based infostealer malware, has entered the threat landscape, as first reported by CRIL in December 2023. Primarily spreads through social media scams and utilizes a persistence mechanism which is a rare trait among infostealers. Initial observations indicate a focus on the retail industry, with recent victimology suggesting activity in Italy, Greece, and India.
EditBot employs open-source code-sharing platforms such as GitLab to fetch its Python-based stealer payload and utilizes startup folders for persistence. Once executed, the malware stealthily enumerates running processes and steals a myriad of information, including cookies and passwords from various web browsers. The stolen data is then compiled into a ZIP archive, named with the victim’s country code, IP address, and timestamp. In the end, EditBot employs a Telegram bot from which it exfiltrates the archive to threat actors.
Download the special advisory report.
