Kpot, The info stealer

Kpot, an older information stealer just got a major update and is seen in the wild again. This time Kpot brings zero persistence (meaning its never written to your computer) and instead does all of its attacks in memory before leaving your computer completely. Removing the ability to detect it without Real-time protection.

How it works

Kpot is delivered mainly through malicious email attachments, when opened they request permission to “Enable Editing” and appear to be unreadable without clicking on it. This attack vector, however, provides the attacker with full access to the computer. After the attack vector is used Kpot gets to work extracting as much as it can. First, it sends a message to its C&C server and asks what it should do. The reply can include many possible commands that can be updated in time, at the time of this writing it includes the following.

Browsers (Chrome, Mozilla, Internet Explorer): cookies, passwords, Autofill data, and history are taken and sent back to the C&C server.

Crypto: various cryptocurrency files. This can reveal numerous information regarding credentials, emails, and wallets depending on what the software used stores on the computer.

Discord: A chat interface advertised mainly to gamers: chat history, and user information can be stolen from files on the computer.

Battlenet: A game portal for World of Warcraft, StarCraft, and Diablo among others. Information regarding accounts can be stolen this way leading to compromised accounts without further fail safes such as 2-factor authentication.

Screenshots: Kpot can take pictures of what you are currently doing. This could be done when it recognizes open bank windows or other compromising information that may not be stored on your computer but are visible on the screen.

Windows credentials: Kpot can steal your windows account information such as username and password.

Grabber: A more advanced version than Qulab uses, Kpot uses its grabber to find any files that may have information but are not connected to an application. An example would be “passwords.txt” on the computer. Note that it does not focus on the naming and instead goes for taking any files ending in certain letters, such as txt, pdf, and doc to name a few.

Delete: Kpot uses this command to delete itself from the computer and any other evidence it might have been there.

Who is affected?

One of the scary things about Kpot is that is very affordable on the dark web. Coming in at only $100 with support optional it no longer takes a master hacker to obtain an information stealer that they can then use in a variety of ways. These could be slipped into downloads from illegitimate sources or used in malspam campaigns.

Indicators of Compromise

What you can do


If you or someone you know is infected with Kpot malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Kpot from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal