The NoMercy Stealer malware is designed to harvest various sensitive data from devices that have already been breached specifically. The attackers can deploy the threat and use it to spy on their victims by taking over the camera and microphone. The hackers can activate them at certain intervals or make continuous recordings. NoMercy determines the current keyboard layout of the system and then activates keylogging routines that will capture each pressed button. The threat also can make arbitrary screenshots of the screen.
However, when the NoMercy Stealer is first executed on a device, it will start its invasive actions by obtaining numerous device details - hardware components, OS, network, installed applications, currently active processes, and if any anti-malware and security solutions are present on the system. Afterward, the threat can be instructed to extract data from several VPNs including NordVPN, ProtonVPN and OpenVPN.
The attackers also can utilize the clipper functionality of the threat to redirect cryptocurrency payments. NoMercy is capable of detecting and substituting the wallet addresses involved in transactions with Bitcoin, Bitcoin Cash, Ethereum, Ripple, Stellar and Monero. It should be noted that the NoMercy Stealer is still under active development and could be updated with an even more expansive set of invasive features and functionalities in the future.