Typhon Stealer

Typhon is a stealer threat that can compromise confidential information belonging to its victims, causing potentially severe problems. The Typhon threat is written using the C# programming language and has had numerous versions released as part of its development. The versions can be functionally split into two different groups. Older Typhon variants have a broader range of threatening capabilities, while the newer versions tracked as Typhon Reborn or TyphonReborn are more streamlined and focused on data collection.

Threatening Capabilities

Once the Typhon Stealer has been successfully deployed on the target device, it will begin its operations by collecting fingerprinting information about the system. The threat will collect hardware details, OS version, machine name, username, the current screen resolution, etc. In addition, the malware will attempt to extract Wi-Fi passwords, obtain a list of the currently running processes, and scan for installed anti-malware security tools. Typhon can assume control over connected cameras to take arbitrary pictures. The attackers also are capable of manipulating the file system on the breached devices.

The data-stealing capabilities of Typhon allow it to compromise a wide range of confidential information. The threat can extract data from numerous applications, chat and messaging clients, VPNs, gaming applications and more. It can collect victims' browsing histories, downloads, bookmarked pages, cookies, account credentials, credit card numbers and other data saved in the browser. The hackers also could try to collect cryptocurrency wallets from Google Chrome or Edge browser extensions.

Older Typhon Versions

Earlier versions of the threat were equipped with a more diverse set of intrusive functionalities. Typhon was able to establish robust and sophisticated keylogging routines, which will only trigger when the victim visits an online banking site or a page with age-restricted content. To take money from crypto transactions, Typhon monitors the clipboard of the system as a clipper threat. If it detects that the victim has copied and saved a crypto-wallet address, the threat would substitute it with a new address under the control of the hackers.

Depending on the goals of the cybercriminals, older Typhon versions could be instructed to hijack the hardware resources of the infected devices and exploit them in a crypto-mining operation. Impacted systems will have their hardware capacity utilized toward mining for a chosen cryptocurrency. Some Typhon versions exploited the Discord platform to spread themselves in a manner similar to worm threats.