Malware threats continue to evolve, with cybercriminals developing increasingly sophisticated tools to steal sensitive data. One such threat is Poulight Stealer, a malicious software that harvests credentials, financial information, and other valuable data from infected systems. This article explores what Poulight Stealer is, its key features, distribution methods, and mitigation strategies to protect against it.
Download Server 1 Download Server 2 Download Server 3
What is Poulight Stealer?
What is Poulight Stealer?Poulight Stealer is an information-stealing malware (infostealer) targeting Windows systems. It is typically distributed through phishing campaigns, malicious downloads, or exploit kits. Once installed, it collects sensitive data such as:
- Saved credentials (browsers, email clients, FTP clients)
- Cryptocurrency wallet information
- Credit card details (from autofill data)
- Cookies and session tokens (for session hijacking)
- System information (IP address, OS version, hardware details)
- Screenshots & clipboard data (to steal copied crypto addresses)
Key Features of Poulight Stealer
1. Browser Data Theft
Poulight Stealer targets multiple web browsers, including:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
- Opera
- Brave
It extracts:
- Saved passwords
- Autofill data
- Browser cookies (for session hijacking)
- Credit card details are stored in browsers
2. Cryptocurrency Wallet Theft
The malware scans for and steals:
- Exodus, Electrum, MetaMask, Binance Chain Wallet, and other crypto wallets
- Clipboard monitoring (to replace copied crypto addresses with attacker-controlled ones)
3. File Grabbing Capabilities
Poulight can search for and exfiltrate specific file types, such as:
- Documents (.doc, .pdf, .txt)
- Database files (.sql, .db)
- Encrypted wallet files (.dat, .wallet)
4. Anti-Detection & Evasion Techniques
To avoid detection, Poulight may use:
- Code obfuscation (to bypass static analysis)
- Process injection (to run malicious code within legitimate processes)
- Delayed execution (to evade sandbox analysis)
5. C2 Communication & Data Exfiltration
The malware communicates with its C2 server via:
- HTTP/HTTPS requests
- Telegram bots (some variants send stolen data directly to Telegram)
- Discord webhooks (for real-time data exfiltration)
