Omnistealer Malware Harvests Passwords, Crypto Wallets via Blockchain C2

Executive Summary

A new information-stealing malware dubbed Omnistealer is systematically harvesting credentials from password managers, cloud storage applications, and cryptocurrency wallets, according to research from Malwarebytes. Its most distinctive feature is the use of the Solana blockchain for command-and-control (C2) communication, providing a decentralized and resilient infrastructure that is difficult for defenders to block or sinkhole. The malware targets a wide array of applications, including 1Password, Bitwarden, NordPass, Google Chrome, Microsoft Edge, Exodus wallet, and cloud sync folders for Google Drive and OneDrive.

Technical Analysis

Omnistealer is a Windows-based executable written in Rust, a language increasingly favored by malware authors for its performance and ability to evade detection. Upon execution, the malware performs a series of system reconnaissance checks, including verifying the presence of a debugger, checking the system language to avoid Russian and other Eastern European locales, and ensuring it is not running within a virtual machine or sandboxed environment, Malwarebytes researchers found.

If these anti-analysis checks pass, the stealer begins its data harvesting routine. It systematically enumerates and extracts data from installed applications. For password managers like 1Password, Bitwarden, and NordPass, it targets locally cached databases and configuration files. For browsers such as Chrome and Edge, it steals autofill data, saved passwords, cookies, and credit card information. The malware also targets the Exodus cryptocurrency wallet, seeking to exfiltrate wallet seeds and private keys. Furthermore, it scans for and copies the contents of cloud storage synchronization folders for Google Drive and Microsoft OneDrive.

All stolen data is compressed into a ZIP archive. The unique C2 mechanism then engages: the malware queries the Solana blockchain. It reads data from a specific, hardcoded Solana account address. The attacker encodes C2 instructions—specifically, an IP address and port—into the account's "data" field. Omnistealer retrieves this IP:port combination and uses it to establish a direct socket connection for exfiltrating the stolen archive.

Tactics, Techniques & Procedures

Based on the Malwarebytes analysis, the primary TTPs include:

• Execution (T1204): User execution is required, likely via phishing or bundled software.
• Defense Evasion (T1497): Implements multiple anti-analysis checks for debuggers, VMs, and specific system locales.
• Discovery (T1082, T1518): Conducts system information discovery and software enumeration.
• Collection (T1555, T1539): Steals credentials from password managers and browsers; collects data from cloud storage directories.
• Command and Control (T1573): Uses an encrypted channel (Solana blockchain query followed by a direct socket connection) for C2 communication.
• Exfiltration (T1041): Exfiltrates stolen data via the socket connection to the actor-controlled server.

Threat Actor Context

The developer or distributor behind Omnistealer is currently unidentified. The malware's avoidance of systems with Russian, Ukrainian, Belarusian, Kazakh, and Kyrgyz language settings is a common feature in malware originating from or seeking to avoid conflict with actors in Eastern Europe. The use of Rust and the innovative blockchain-based C2 indicate a technically capable actor focused on operational security and infrastructure resilience. There is no evidence at this time linking Omnistealer to a known, established threat group.

Mitigations & Recommendations

Organizations and users should apply standard defenses against information stealers. Enable tamper protection features in endpoint security products where available. For password managers, ensure master passwords are strong and unique, and utilize hardware security keys for two-factor authentication where supported. Consider disabling browser password saving features in favor of dedicated, locked-down password manager applications. Network defenders can monitor for outbound connections to unfamiliar IP addresses and ports, though the dynamic nature of the blockchain-retrieved C2 makes static blocking difficult. User education on phishing and software download hygiene remains critical, as initial infection requires user interaction.