The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Jester Stealer

Mar 10, 2022 1:10:05 PM / by PolySwarm Tech Team



Cyble recently published research on Jester Stealer, an info stealer known to harvest login credentials, cookies, payment card details, and other information.
What is Jester Stealer?

Jester Stealer, written in .NET,  was first seen on cybercrime forums in mid-2021. The threat actors behind Jester Stealer advertised it as having the following functionality: 

  • Encrypted connection using the AES-CBC-256 algorithm
  • Servers located on the TOR network
  • Logs redirected to a Telegram bot
  • Log collection in memory without writing data to the disk

Anti-sandbox and anti-VM features were added later in an attempt to thwart reverse engineering.

Additionally, Jester Stealer collects information from the following:

  • Browsers (over 20 supported)
  • Email clients (Thunderbird, Outlook, FoxMail)
  • Messengers (Telegram, Discord, WhatsApp, Signal, Pidgin)
  • Cold crypto wallets
  • Browser crypto extensions
  • Password managers
  • VPN clients
  • FTP
  • Gaming software (Steam, Twitch, OBS)
  • System credentials

So far, Cyble has observed Jester Stealer undergoing seven updates, with each update attempting to increase the malware’s functionality. Jester Stealer can harvest the types of information noted above and send it as logs via TOR to a Telegram bot. Alternatively, the logs can be sent to AnonFiles. The threat actors selling Jester Stealer also provide a builder to create custom malware binaries, with a variety of extensions including txt, jar, ps1, bat, png, doc, xls, pdf, mp3, mp4, and ppt to hide the .EXE.

Cyble notes that initial access brokers can use Jester Stealer and other info stealers to harvest credentials and lay the groundwork for future attacks involving lateral movement or ransomware.


PolySwarm has multiple samples of Jester Stealer.









You can use the following CLI command to search for all Jester Stealer samples in our portal:

$ polyswarm link list -f JesterStealer

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Jester Stealer, Stealer

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts