KuinaExtractor Uses Telegram Exfiltration, UAC Bypass, and Sandbox Detection for Stealth

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly uncovered infostealer called KuinaExtractor has been quietly evolving for over six months, posing a serious and growing threat to users across multiple platforms.

Written in the Rust programming language, the malware targets browser data, cryptocurrency wallets, and credentials for popular services including Roblox, Steam, and Discord.

What makes this threat particularly concerning is how rapidly it has matured, moving from a rough early build to a polished, stealthy tool in a matter of months.

KuinaExtractor first appeared in December 2025 and has since gone through four distinct development stages, each adding new capabilities and deeper evasion techniques.

The malware’s author appears to be a Vietnamese-speaking developer, with Vietnamese-language text found throughout the code, including debug output and system messages.

A command-and-control panel hosted in Vietnam and the targeting of the Vietnamese CocCoc browser further support this assessment, though researchers note these are supporting signals rather than firm proof.

Analysts at ThreatRay identified and tracked KuinaExtractor across six months by comparing code similarities at the function level, allowing them to link dozens of samples into a single malware family.

According to ThreatRay report shared with Cyber Security News (CSN), the same markers appeared repeatedly across builds, including shared mutex names, build-host paths left inside binaries, and a consistent set of Telegram contact handles tied to the alias “Kuina,” which was later replaced by “k0to.”

The malware’s development path is unusually clear and deliberate. The earliest builds already included a Chrome App-Bound-Encryption bypass that impersonated a core Windows process to recover the browser’s master encryption key.

Exfiltration in those early versions ran through Discord webhooks, and GitHub was used both as a delivery host and as disposable remote infrastructure through GitHub Actions. That infrastructure role with GitHub remains active today.

Six months of development (Source - ThreatRaay)
Six months of development (Source – ThreatRaay)

By June 2026, the developer had rebranded the project under the name “k0to,” shifting focus from adding new features to hiding existing ones.

The latest build wraps its strings in 28-byte XOR encryption, ships its own certificate roots instead of relying on the system’s trusted store, and adds a sandbox check that scans PowerShell window titles for analyst tools.

These changes signal a clear move toward long-term stealth over rapid feature growth.

KuinaExtractor Uses Telegram Exfiltration, UAC Bypass, and Sandbox Detection

When KuinaExtractor was rebuilt in January 2026, exfiltration moved from Discord webhooks to a Telegram bot, giving the operator more control and making the traffic harder to flag.

At the same time, the single UAC bypass from the first build was replaced by a function-pointer table offering seven separate bypass techniques. This redundancy means the malware can try multiple privilege escalation paths if one is blocked.

The January rewrite also added extensive reconnaissance before any data theft began. Eight hardware queries using WMIC, WiFi network enumeration, a Windows Credential Manager dump, and victim IP geolocation all ran ahead of the main theft routine.

The malware also included a loop designed to disable Microsoft Defender. By March 2026, browser coverage had grown to around 40 applications, and the UAC bypass shifted to the SilentCleanup technique.

Parallel Experiments and Abandoned Projects

While developing the main stealer, the same operator ran two side projects that were later dropped. The first, KuinaCookieExtractor, targeted platforms including Minecraft, FileZilla, and Telegram session data, exfiltrating over Discord rather than Telegram.

It was visible for roughly two weeks. A second experiment called “Zenith” briefly appeared with a debug build that left detailed logs on the victim’s desktop, and a control panel at a Vietnamese IP address before being abandoned.

These experiments show an operator who tests ideas actively, then discards what does not fit the main plan. The consistent reuse of code markers, build usernames, and Telegram handles across all projects ties every experiment back to the same individual.

Security teams monitoring this family should treat any sample carrying these shared markers as part of the same threat actor’s activity, regardless of the name displayed in the binary.

Indicators of Compromise (IoCs):-

Type Indicator Description
IP Address 103.229.53[.]18:3000 “Zenith Stealer” C2 panel hosted on Vietnamese AS135918 (Viet Digital Technology)
File Path %USERPROFILE%Desktopzenith_debug.txt Debug log file written by the Zenith experiment debug build
Mutex Name Kuina_Intel(R) 82574L Gigabit Network Connection Mutex used by the Zenith debug build, disguised as a network adapter name
Build Alias / Handle kuina1999 Operator handle found across multiple builds and experiments
Build Alias / Handle k0to New alias used in the June 2026 rebrand of KuinaExtractor
Sentinel Value KUNA_UAC_BYPASS_ATTEMPTED Custom sentinel used in KuinaCookieExtractor builds
IOC Repository https://github.com/threatray/threat-research/tree/main/2026-06-25-KuinaExtractor Full IOCs and YARA rules published by ThreatRay

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

The post KuinaExtractor Uses Telegram Exfiltration, UAC Bypass, and Sandbox Detection for Stealth appeared first on Cyber Security News.