The cybercriminal group behind the information-stealing malware Typhon Reborn has resurfaced with an updated version of their software that includes improved capabilities to evade detection and resist analysis. The new version is being offered for sale on the criminal underground for $59 per month, $360 per year, or alternatively, for $540 for a lifetime subscription. According to Cisco Talos researcher Edmund Brumaghin, who published a report on the matter on Tuesday, the updated software "can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data to attackers." Typhon was first documented by Cyble in August of 2020, detailing its myriad features, which include hijacking clipboard content, capturing screenshots, logging keystrokes, and stealing data from crypto wallet, messaging, FTP, VPN, browser, and gaming apps. Based on another stealer malware called Prynt Stealer, Typhon is also capable of delivering the XMRig cryptocurrency miner. In November of 2020, Palo Alto Networks Unit 42 unearthed an updated version of the software dubbed Typhon Reborn. According to Unit 42, the new version has "increased anti-analysis techniques" and "was modified to improve the stealer and file grabber features." The researchers also noted that certain features like keylogging and cryptocurrency mining had been removed in an apparent attempt to lower the chances of detection. The latest V2 variant, per Cisco Talos, was marketed by its developer on January 31, 2021, on the Russian language dark web forum XSS.
top of page
bottom of page