Listen to this Post
Introduction:
A newly uncovered information stealer called KuinaExtractor has been quietly evolving for over six months, transforming from a rough early build into a polished, stealthy threat targeting browsers, cryptocurrency wallets, and gaming credentials across multiple platforms. Written in Rust, this malware family demonstrates an unusually clear and deliberate development path — moving from Discord webhooks to Telegram-based exfiltration, expanding from a single UAC bypass to seven separate techniques, and ultimately rebranding as “k0to” with a laser focus on operational concealment. What makes KuinaExtractor particularly concerning is not just its technical sophistication, but the speed at which it has matured, posing a serious and growing threat to users and enterprises alike.
Learning Objectives:
- Understand the four-stage evolution of KuinaExtractor from December 2025 to its June 2026 rebrand as “k0to”
- Identify the malware’s core evasion techniques including Telegram exfiltration, multi-method UAC bypass, and sandbox detection
- Learn practical detection and mitigation strategies including EDR deployment, network monitoring, and privilege restriction
- Master forensic analysis techniques to identify KuinaExtractor indicators across Windows endpoints
- Implement defensive commands and configurations to harden systems against Rust-based infostealers
You Should Know:
1. The Four-Stage Evolution of a Rust-Based Infostealer
KuinaExtractor first appeared in December 2025 and has since undergone four distinct development stages, each adding new capabilities and deeper evasion techniques. The malware’s author appears to be a Vietnamese-speaking developer, with Vietnamese-language text found throughout the code — including debug output, system messages, and a “Thông tin hệ thống” (“System information”) header in the collected-data bundle. A command-and-control panel hosted in Vietnam and the targeting of the Vietnamese CocCoc browser further support this assessment, though researchers note these are supporting signals rather than firm proof.
December 2025 — First Build: The earliest builds were already capable, targeting Roblox cookies, Steam sessions, cryptocurrency wallets, and Discord tokens. They included a full Chrome v20 App-Bound-Encryption bypass that impersonates LSASS to recover the browser’s master encryption key. Exfiltration ran over Discord webhooks, and privilege escalation used a single `fodhelper/ms-settings` UAC bypass. GitHub served two roles: as a content-delivery host and, through GitHub Actions, as disposable VPS/RDP infrastructure — a role that remains active today.
January 2026 — The Rewrite: In early January, the stealer was rebuilt over a few days, adding substantial reconnaissance capabilities. Eight WMIC hardware queries, WiFi SSID enumeration, a Windows Credential Manager dump, victim IP geolocation, and a loop designed to disable Microsoft Defender all ran ahead of the main theft routine. Exfiltration moved from Discord webhooks to a Telegram bot, giving the operator more control and making traffic harder to flag. The single UAC bypass was replaced by a function-pointer table offering seven separate bypass techniques, providing redundancy if one path is blocked.
March 2026 — Production Hardening: By March, browser coverage had grown to approximately 40 applications including CocCoc, and the UAC bypass shifted to the SilentCleanup technique. The build gained broad VM and sandbox detection, improving its resistance to analysis. This variant is still observed today.
June 2026 — The “k0to” Rebrand: On 17 June, a build appeared under the new name “k0to,” removing the “Kuina” name from the binary and focusing on concealment rather than new capabilities. It uses a self-contained HTTP stack (reqwest over `hyper` and rustls) that ships its own CA roots and does not rely on the system TLS store. Strings are wrapped in 28-byte XOR encryption — including the Telegram C2 URL — and a sandbox check scans PowerShell window titles for analyst tools. The Telegram channel is now one-way: file upload only, with no command polling, further reducing network visibility.
2. Telegram Exfiltration: From Discord to Covert C2
The shift from Discord webhooks to Telegram bots represents a significant operational security improvement for the attacker. Discord webhooks are relatively easy to detect and block, whereas Telegram bot traffic blends with legitimate messaging application activity. The latest k0to variant takes this further by embedding a self-contained HTTP communication stack, using its own TLS certificate store, XOR-obfuscating Telegram C2 URLs, and implementing one-way Telegram-based data exfiltration to reduce network visibility.
Step-by-Step Guide to Detecting Telegram Exfiltration:
Step 1: Monitor Outbound Connections
Use Windows firewall or network monitoring tools to identify outbound connections to Telegram IP ranges. Telegram’s known IP ranges include `149.154.160.0/20` and 91.108.4.0/22. On Windows, you can use `netstat -ano | findstr ESTABLISHED` to identify active connections and cross-reference with known Telegram IPs.
Step 2: Analyze Network Traffic
Deploy a network monitoring solution to inspect traffic for unusual outbound POST requests to Telegram API endpoints (api.telegram.org/bot<TOKEN>/sendDocument). The following PowerShell command can help identify suspicious processes communicating with Telegram domains:
Get-1etTCPConnection -State Established | Where-Object {$<em>.RemoteAddress -like "149.154." -or $</em>.RemoteAddress -like "91.108."} | Select-Object LocalPort, RemoteAddress, OwningProcess | ForEach-Object {Get-Process -Id $_.OwningProcess}
Step 3: Implement EDR Rules
Configure Endpoint Detection and Response (EDR) solutions to alert on processes that:
– Make outbound HTTPS connections to Telegram API endpoints
– Use Telegram bot tokens in command-line arguments or environment variables
– Exhibit unusual file upload patterns to messaging platforms
- UAC Bypass Techniques: Seven Ways to Elevate Privileges
KuinaExtractor’s January rewrite replaced a single UAC bypass with a function-pointer table offering seven separate methods. This redundancy means the malware can try multiple privilege escalation paths if one is blocked. By March 2026, the UAC bypass shifted to the SilentCleanup technique.
The Seven UAC Bypass Methods (Based on Analysis):
- fodhelper/ms-settings — Exploits the Windows `fodhelper.exe` registry auto-elevation (December 2025 build)
- SilentCleanup — Abuses the `SilentCleanup` scheduled task that runs with elevated privileges (March 2026 onward)
- CMSTP — Uses the Connection Manager profile installer to execute code with elevated rights
- Event Viewer — Leverages the `eventvwr.exe` registry hijack
5. DiskCleanup — Exploits the `cleanmgr.exe` auto-elevation
- Windows Update — Abuses the Windows Update client’s auto-elevation
- WSReset — Uses the Windows Store reset utility for privilege escalation
Step-by-Step Guide to Detecting UAC Bypass Attempts:
Step 1: Monitor Registry Changes
The `fodhelper/ms-settings` bypass relies on registry modifications. Monitor the following registry keys for unauthorized changes:
Monitor for suspicious registry modifications reg query "HKCU\Software\Classes\ms-settings\shell\open\command" /ve reg query "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute
Step 2: Audit Scheduled Tasks
The SilentCleanup technique creates or modifies scheduled tasks. Use the following command to audit scheduled tasks:
schtasks /query /fo LIST /v | findstr /i "silentcleanup"
Step 3: Enable UAC Event Logging
Configure Windows to log UAC elevation requests. Enable auditing of privilege use in Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit Privilege Use.
Step 4: Deploy Detection Rules
Create SIEM rules that alert on:
- Unusual processes spawning from
fodhelper.exe,eventvwr.exe, or `cleanmgr.exe`
– Registry modifications to `HKCU\Software\Classes\` by non-administrative processes - Scheduled task creation with names resembling legitimate Windows tasks
4. Sandbox Detection and VM Evasion
KuinaExtractor includes sophisticated sandbox detection and virtual machine evasion capabilities. The latest build adds a sandbox check that scans PowerShell window titles for analyst tools. This allows the malware to remain dormant when executed in an analysis environment, evading automated detection systems.
Step-by-Step Guide to Understanding Sandbox Evasion:
Step 1: Identify Common Evasion Techniques
KuinaExtractor checks for:
- Virtual machine artifacts (VMware, VirtualBox, Hyper-V)
- Debugger presence
- Sandbox-specific environment variables
- PowerShell window titles containing analyst tool names (e.g., “Process Monitor”, “Wireshark”, “x64dbg”)
- System uptime (sandboxes often have low uptime)
- Mouse movement and user interaction patterns
Step 2: Implement Sandbox-Aware Detection
When analyzing suspicious samples, use sandboxes that can:
- Spoof VM artifacts to appear as physical hardware
- Simulate realistic user behavior (mouse movements, keyboard input)
- Maintain longer system uptime
- Hide analysis tool window titles
Step 3: Forensic Analysis Commands
To check for sandbox detection indicators on a compromised system:
Check for VM artifacts
systeminfo | findstr /i "vmware virtualbox hyper-v"
Check for debugger presence
Get-Process | Where-Object {$_.ProcessName -match "debug|windbg|x64dbg|olly"}
Check PowerShell window titles (what KuinaExtractor scans)
Get-Process -1ame powershell | ForEach-Object { (Get-Process -Id $_.Id).MainWindowTitle }
5. Data Theft Capabilities: Browsers, Wallets, and Credentials
KuinaExtractor targets an extensive range of applications. By March 2026, browser coverage had grown to approximately 40 applications, including the Vietnamese CocCoc browser. The malware steals browser cookies, Windows Credential Store data, cryptocurrency wallet files, Roblox and Steam sessions, Discord tokens, and other authentication artifacts.
Key Theft Mechanisms:
- Chrome App-Bound-Encryption Bypass: Impersonates LSASS to recover the browser’s master encryption key. Extended to ChaCha20-Poly1305 for newer Chrome versions
- Windows Credential Manager Dump: Extracts stored credentials using Windows API calls
- Cryptocurrency Wallets: Targets wallet files across multiple cryptocurrencies
- Gaming Platforms: Steals Roblox cookies, Steam sessions, and Discord tokens
Step-by-Step Guide to Identifying Data Theft:
Step 1: Monitor Browser Data Access
Configure EDR to alert on unauthorized access to browser profile directories:
Check for recent access to Chrome Local State (contains encryption keys) Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Local State" | Select-Object LastAccessTime, LastWriteTime Monitor for unusual file reads from browser profile folders Use Sysmon or Windows Audit policies to log file access events
Step 2: Detect Credential Manager Dumps
The malware uses `vaultcli.dll` to dump Windows Credential Manager. Monitor for:
Check for suspicious vaultcli.dll usage
Get-Process | Where-Object {$_.Modules.ModuleName -match "vaultcli"}
Monitor for cmdkey /list executions (often used in credential dumping)
Get-WinEvent -LogName Security | Where-Object {$_.Message -match "cmdkey"}
Step 3: Identify Exfiltration Patterns
Look for:
- Large outbound data transfers to Telegram API endpoints
- Batch file reads from browser, wallet, and credential directories
- Processes compressing stolen data into archives before exfiltration
6. Defense and Mitigation Strategies
Protecting against KuinaExtractor requires a multi-layered defense strategy that addresses its evasion techniques, privilege escalation methods, and exfiltration channels.
Step-by-Step Hardening Guide:
Step 1: Deploy Modern EDR Solutions
Deploy endpoint detection and response solutions capable of detecting Rust-based malware and behavioral anomalies. Ensure EDR agents are updated and configured to monitor for:
– UAC bypass attempts
– LSASS process impersonation
– Unusual outbound connections to Telegram infrastructure
– PowerShell window title scanning
Step 2: Restrict Administrative Privileges
Implement least-privilege access controls and monitor for suspicious UAC bypass attempts. Use Windows AppLocker or Windows Defender Application Control to restrict execution of untrusted binaries.
Step 3: Enable Multi-Factor Authentication
Enable MFA across all critical services to reduce the impact of stolen credentials. This is particularly important for email, VPN, and administrative access.
Step 4: Network Monitoring
Monitor outbound connections to unauthorized Telegram infrastructure and unusual network traffic. Implement network segmentation to limit lateral movement.
Step 5: Regular Endpoint Scanning
Regularly scan endpoints for credential theft activity, browser compromise, and unauthorized access to cryptocurrency wallet files.
Step 6: Keep Systems Updated
Keep Windows systems, browsers, and security software updated with the latest patches.
Linux Commands for Cross-Platform Defense (for dual-boot or Linux-based analysis environments):
Monitor network connections for suspicious outbound traffic sudo netstat -tunap | grep -E "149.154|91.108" Check for suspicious processes ps aux | grep -E "telegram|bot|exfil" Analyze suspicious files with ClamAV clamscan -r /path/to/suspicious/directory Monitor system calls for unusual behavior strace -p <PID> -e trace=network,file,process
7. Forensic Indicators and Hunting Queries
To proactively hunt for KuinaExtractor infections, security teams should look for specific indicators across Windows endpoints.
Key Indicators of Compromise (IOCs):
- Mutex Names: Shared mutex names including `KUINA_UAC_BYPASS_ATTEMPTED`
– Telegram Handles: Consistent set of Telegram contact handles tied to the alias “Kuina” (later replaced by “k0to”) - Build Paths: Build-host paths left inside binaries (e.g., `kuina` build user)
- Registry Modifications: Changes to `HKCU\Software\Classes\ms-settings\shell\open\command`
– File Artifacts: Files created in `%USERPROFILE%\Desktop\zenith_debug.txt` (from Zenith experiment)
Hunting Queries:
PowerShell Hunting Script:
Hunt for KuinaExtractor indicators
Write-Host "Checking for KuinaExtractor IOCs..." -ForegroundColor Yellow
Check for suspicious mutexes
Get-Mutex | Where-Object {$_.Name -match "KUINA"}
Check for Telegram-related processes
Get-Process | Where-Object {$_.ProcessName -match "telegram|bot"}
Check for Chrome Local State access
$chromeState = Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Local State" -ErrorAction SilentlyContinue
if ($chromeState) {
Write-Host "Chrome Local State found. Check for recent access." -ForegroundColor Red
}
Check for scheduled tasks related to SilentCleanup
schtasks /query /fo LIST | findstr /i "silentcleanup"
Check for Zenith debug file
if (Test-Path "$env:USERPROFILE\Desktop\zenith_debug.txt") {
Write-Host "Zenith debug file found! Potential KuinaExtractor infection." -ForegroundColor Red
}
Sysmon Configuration for Detection:
Deploy Sysmon with Event ID 1 (process creation), 7 (image loaded), and 11 (file creation) to capture detailed telemetry. Monitor for:
– Processes spawning from unusual locations (%TEMP%, %APPDATA%)
– LSASS process access attempts (Event ID 10)
– Registry modifications to auto-elevation keys
What Undercode Say:
- Key Takeaway 1: KuinaExtractor represents a new generation of infostealers that prioritize operational security and evasion over feature expansion. The shift from Discord to Telegram, the expansion to seven UAC bypass methods, and the June rebrand to “k0to” all signal a professional-grade threat actor focused on long-term persistence rather than quick wins.
-
Key Takeaway 2: The malware’s use of Rust, self-contained HTTP stacks, and custom TLS certificate stores demonstrates that modern infostealers are adopting techniques traditionally seen in advanced persistent threat (APT) groups. This trend makes detection significantly harder for traditional signature-based security tools.
Analysis:
The evolution of KuinaExtractor over six months provides a rare window into the development lifecycle of a modern infostealer. What stands out is not just the technical sophistication, but the deliberate, methodical approach to building a resilient, stealthy tool. The malware’s author clearly understands defensive security measures and has systematically engineered countermeasures to each layer of protection — from UAC to EDR to sandbox analysis.
The rebrand to “k0to” is particularly telling. Rather than adding new features, the June build focuses entirely on concealment: XOR-obfuscated strings, self-contained CA roots, and one-way Telegram exfiltration. This suggests the operator is preparing for a long-term campaign, possibly expanding targeting to enterprise environments where stealth is paramount.
For defenders, the key takeaway is that traditional security measures are no longer sufficient. Organizations must adopt behavioral detection, network monitoring for unauthorized Telegram traffic, and proactive threat hunting. The malware’s reliance on Telegram for exfiltration presents a unique detection opportunity — monitoring outbound connections to Telegram IP ranges and API endpoints can provide early warning of an infection.
Prediction:
- +1 KuinaExtractor’s evolution will likely inspire copycat malware families that adopt similar techniques — Telegram exfiltration, multi-method UAC bypass, and sandbox detection will become standard features in infostealer toolkits within the next 6-12 months.
-
-1 The rebrand to “k0to” and the focus on concealment indicate the operator is preparing for a major campaign expansion. We can expect to see increased targeting of enterprise environments, particularly in healthcare, finance, and critical infrastructure sectors.
-
-1 The malware’s use of self-contained HTTP stacks and custom TLS stores will make it increasingly difficult for network-based security controls to detect exfiltration traffic, requiring organizations to invest in advanced behavioral analytics and threat hunting capabilities.
-
+1 The detailed forensic indicators identified by ThreatRay — including mutex names, build paths, and Telegram handles — provide defenders with actionable intelligence that can be operationalized immediately through SIEM and EDR platforms.
-
-1 As the malware continues to evolve, we may see the introduction of additional evasion techniques such as process injection, rootkit capabilities, and anti-forensic measures that further complicate detection and response efforts.
-
+1 The cybersecurity community’s rapid identification and tracking of KuinaExtractor demonstrates the value of code similarity analysis and collaborative threat intelligence sharing in staying ahead of evolving threats.
▶️ Related Video (80% Match):
https://www.youtube.com/watch?v=-C-xrmfP7HU
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Dlross Kuinaextractor – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
