StealerGo

StealerGo is a Remote Access Trojan (RAT) designed to achieve commands through Telegram's API to send and receive messages from a bot.
Originally started as a simple stealer to drop the target's Exodus Passpharse and Visual Studio projects to a Dropbox.
I've expanded it from a simple stealer to a full Remote Access Tool that supports more Data Collection, Troll Effects and PC Corruption.

📑 Table of Contents

1. What StealerGo Collects
2. Remote Access
3. Stealer Loader
   • How the Loader Works
4. Setup Instructions
5. Disclaimer

What StealerGo Collects

StealerGo gathers 6 distinct categories of data from the target machine to report.
Once collected, the information is compiled into a .txt report that is sent as an uploaded document.

Network

StealerGo collects the Local and Public IP Addresses and sends an HTTPS request to ipwho.is.
The free API displays information about the IP address like:

• GeoLocation (continent, country, region, city, postal code)
  
• Connection details (ASN, ISP, organization, domain)
  
• Timezone (ID, abbreviation, DST, offset, current time)
  
• Proxy / VPN detection
  

Then collects all Network Adapters and each Adapters information like Name, Mac, Vender, and e.g...

Discord

StealerGo collects the Discord Token, Username, and Open DM Channels using the Discord Token.
We cache the Discord Token to later send messages and files through Discord's API.
Multiple Discord Tokens may exist – each is validated by sending HTTPS requests to Discord's API to check authorization and username.

Mullvad

StealerGo collects the Mullvad Account Number from disk and the Time Left via HTTPS requests.
To access the file that stores the account number, we terminate all Mullvad sessions – this releases file locks.
Note: This termination is noticeable to the target.

Browser

StealerGo collects Passwords, Credit Cards (including CVV), Cookies, and Search History using v20 Chrome decryption.
It targets Chrome, Brave, and Opera by terminating all browser sessions to release locks on database files.
The search history includes how many times each webpage has been visited, and is displayed after all other data.
For passwords, it also displays:

• Times Used
  
• Last Used
  
• Last Modified
  

Note: v20 decryption requires Administrator privileges (uses LSASS impersonation).

Exodus

StealerGo collects the Secret Passphrase, Password, Private Key, User ID, Wallets, and Currencies from Exodus.
We brute‑force the password in memory if the user has set one on the app.
If not, we search the disk by parsing passphrase.json for the password.
To obtain the Secret Passphrase (which allows access to the wallet from any device), we use the entropy from the decompressed seed and convert it to a mnemonic using a word array.

From unsafe-storage.json we also extract:

• User ID and Anonymous ID
  
• List of all currencies (e.g., BTC, ETH) that have market data or wallets
  
• Wallet accounts (active account ID, account name, account type)
  

Visual Studio

StealerGo collects all Visual Studio solutions on all disks by searching for .vcxproj files.
When found, it zips the entire solution folder and sends it to the Telegram Bot group chat.
There is an unfinished infector that would apply a build event to each project – the build event downloads and runs a payload from Dropbox.

Remote Access

StealerGo communicates and sends data through our Telegram Bot by adding it to a group chat on Telegram.
When somebody connects to our RAT, the Telegram Bot will send a "connected" message with the Session ID and PC Name that are used for commands.

General Examples
All commands must be sent as a Telegram message to the bot.
Append @session_id or @username to the command.

• Example: /send_screenshot@aBc12-XyZ78-v5
  
• Example: /session@JohnDoe
  

• Batch Commands:
  Separate multiple commands with a semicolon ;.
  Example: /session; /send_screenshot; /clipboard
  

• Quoting arguments:
  Use double quotes for arguments that contain spaces.
  Example: /send_file "123456789" "C:\my file.txt" "optional message"
  

Command List

Command	Description
/help	Show this help message.
/exit	Terminate the current session.
/session	Show online status and uptime.
/startup	Install into Windows startup (shortcut + registry).
/spread_usb	Copy the bot to all removable drives (via WMI trigger).
/collect_data	Collect Wi‑Fi, Discord, Mullvad, browser data.
/collect_sources	Collect Visual Studio source codes.
/stop_sources	Stop uploading collected sources.
/send_screenshot	Capture and send a screenshot.
/send_webcam	Capture a webcam frame.
/record_audio [seconds]	Record microphone (default 10 seconds).
/lock_screen	Lock the workstation.
/clipboard	Get clipboard text.
/wallpaper <image_path>	Set desktop wallpaper.
/freeze	Block input and freeze the screen.
/unfreeze	Restore input.
/send_message <channel_id> <message>	Send a DM to a specific Discord channel ID.
/send_file <channel_id> <file_path> [message]	Send a file to a specific Discord DM.
/send_file_all <file_path> [message]	Send a file to all open Discord DMs.
/shutdown	Shut down the PC (requires confirmation).
/restart	Restart the PC (requires confirmation).
/bsod	Trigger a Blue Screen of Death.
/run <cmd>	Execute a shell command and return output.
/upload_file <path>	Upload a file to Telegram.
/download <url> <dest>	Download a file from a URL.
/browse <url>	Open a URL in the default browser.
/messagebox <title>|<text>	Show a popup message box.
/boot_bsod	Configure the system to BSOD on every boot.
/overwrite_mbr	Overwrite the Master Boot Record (destructive).
/delete_restore	Delete all system restore points and shadow copies.
/disable_network	Disable all network adapters.
/disable_usb	Disable USB, keyboard, and mouse devices.
/overwrite_user_data	Overwrite and delete user documents (destructive).
/corrupt_registry	Corrupt critical registry keys.
/kill_critical	Terminate critical system processes (CSRSS, LSASS, etc.).
/disk_fill	Fill drive C: until less than 100 MB free.
/wipe <dir>	Delete all files in a directory.
/corrupt	Run all destructive actions listed above.
/random_sounds	Play random system beeps.
/volume_max	Set system volume to 100% and unmute.
/scramble_titles	Randomly change window titles.
/rotate_screen	Rotate the display every 5 seconds.
/window_teleport	Randomly move windows around.
/disable_task_manager	Disable Task Manager via registry.
/mouse_trails	Enable mouse trails.
/no_mouse_trails	Disable mouse trails.
/invert	Invert screen colors (animation).
/shake	Shake windows.
/cursor	Jitter the mouse cursor.
/glitch	Bytebeat glitch audio.
/blocky	Bytebeat blocky audio.
/blur	Apply screen blur effect.
/waves	Apply wave distortion effect.
/sphere	Display a rotating rainbow sphere.
/bitblt	Start BitBlt corruption.
/train	Screen tearing effect.
/icons	Draw random system icons on the screen.
/texts	Floating animated texts.
/radial	Radial distortion effect.
/chaos	Start all chaos effects simultaneously.
/whoa	Start the Keanu Reeves "whoa" video loop (fetches random clip).
/stop_chaos	Stop all chaos effects (including whoa loop).

Note: Destructive commands (/overwrite_mbr, /corrupt, /disk_fill, etc.) ask for a yes confirmation before execution.
Note about browser decryption: v20 decryption requires Administrator privileges – the bot will fail if not run as admin.

Stealer Loader

The Stealer Loader is a standalone executable that embeds the RAT stub (stealer-go.dll) as a byte array.

Key features:

• Hides RAT execution as a normal crash – sandboxes stop execution after an unhandled exception.
• Bypasses VirusTotal detection by avoiding suspicious process creation and network activity until after the crash handler runs.
• Installs persistence so the RAT re‑runs on every startup.

Our execution method works well because sandboxes will not continue after an exception – they treat the crash as a benign application failure.

How the Loader Works

1. Embedded Payload

   • The loader contains payload_bytes[] – a C‑style byte array of the compiled RAT.
   • It also embeds required DLLs (zlib1.dll, sqlite3.dll, libsodium.dll, libcurl.dll) as byte arrays.

2. Startup (First Run)

   • Drops the RAT to %APPDATA%\Microsoft\systemhelper.exe and marks it as hidden.
   • Adds a registry Run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
   • Creates a scheduled task that triggers the RAT at logon.

3. Crash Handler

   • Installs an exception handler (crash_handler) that catches intentional crashes.
   • We trigger an exception on purpose (e.g., writing to an invalid address).
   • The crash handler then:
     • Drops the RAT from the embedded byte array.
     • Re‑applies persistence (registry + scheduled task).
     • Injects the RAT into a legitimate system process (InputSwitchToastHandler.exe) using manual mapping.
   • The original loader process exits, leaving only the injected RAT running inside a trusted process.

Setup Instructions

1. Create a Telegram Bot

   • Talk to @BotFather on Telegram.
   • Use /newbot and follow the instructions.
   • Copy the bot token (e.g., 1234567890:ABCdefGHIjklmNOPqrstUVwxyz).

2. Get Your Chat ID

   • Add your bot to a group (or send a message to it).
   • Visit https://api.telegram.org/bot<YOUR_TOKEN>/getUpdates and find the chat → id field.
   • Copy that number (negative for groups, positive for your personal chat).

3. Replace Chat ID and Bot Token

   • Replace the placeholder values for the Chat ID Here and Bot Token Here
   • Optionally, replace the Dropbox token in dropbox_token if you want to use Dropbox instead.

4. Build Stub and Loader

   • Build the Project after replacing the placeholder values.
   • Convert the stub (stealer-go.dll) using HXD to a C‑style byte array and replace in Here .
   • Build the Loader after replacing the payload_bytes and optionally change the debug prints to disguise it as something else.

Disclaimer

This software is provided for educational and research purposes only.
The author is not responsible for any misuse or damage caused by this tool.
Use only on systems you own or have explicit permission to test.