A new malware variant, dubbed Hannibal Stealer, has emerged as a cracked and rebranded version of the Sharp and TX stealers, originally developed by the reverse engineering group llcppc_reverse. This C#/.NET-based malware targets browsers, cryptocurrency wallets, FTP clients, and other sensitive applications, posing a significant threat to organizations and individuals alike1.
Overview of Hannibal Stealer
Hannibal Stealer is designed to extract credentials, session tokens, and financial data from compromised systems. It primarily targets Chromium and Gecko-based browsers, including Chrome and Firefox, bypassing protections such as Chrome Cookie V202. Additionally, it harvests data from cryptocurrency wallets like MetaMask and Exodus, FTP clients such as FileZilla, and other applications like Discord and Telegram. The malware also includes a clipboard hijacking feature to redirect cryptocurrency transactions.
The malware is distributed via dark web forums, with subscription plans ranging from $150 per month to $650 for seven months. Installation services are also offered, with prices scaling based on the number of infected systems3.
Technical Analysis
Hannibal Stealer employs several evasion techniques, including geofencing to avoid execution in Russia and Belarus, likely to evade legal repercussions. It uses a custom Django-based control panel for data exfiltration and prioritizes high-value targets such as Binance and PayPal credentials4.
The malware leverages MITRE ATT&CK techniques such as T1055 (Process Injection), T1003 (Credential Dumping), and T1041 (Exfiltration over C2). Below is a table of known Indicators of Compromise (IOCs):
| Type | Indicator | Remarks |
|---|---|---|
| SHA256 | f69330c83662ef3dd691f730cc05d9c4439666ef... |
CefSharp.BrowsersSubprocess.exe |
| URL | hXXp://45.61.151[.60/login/ |
Control Panel |
| Domain | www[.]hannibal[.]dev |
C2 Server |
Mitigation and Detection
Organizations can mitigate the risk of Hannibal Stealer by implementing the following measures:
- Blocklisted IOCs in network monitoring tools.
- Deploying EDR solutions to detect credential theft.
- Auditing sensitive directories such as
%AppData%and browser profiles.
Recent updates suggest that Hannibal Stealer is actively expanding its infrastructure, with endorsements from hacktivist groups on Telegram. The malware shares marketing patterns with its predecessors, Sharp and TX stealers, indicating minimal innovation beyond rebranding5.
Conclusion
Hannibal Stealer represents a persistent threat due to its broad targeting of sensitive applications and evasion techniques. Organizations should remain vigilant by monitoring for IOCs and implementing robust security measures. Further research is needed to track its evolving infrastructure and potential connections to other malware campaigns.
References
- “Hannibal Stealer: Cracked Variant of Sharp and TX Malware Targets Browsers, Wallets, and FTP Clients,” GBHackers, 2025.
- “Hannibal Stealer: A Rebranded Threat Born from Sharp and TX Lineage,” CYFIRMA, 2025.
- RST Cloud, Twitter, 2025.
- Reza Abasi, LinkedIn, 2025.
- “New Malware Campaign Uses Cracked Software,” The Hacker News, 2025.
