A newly uncovered infostealer called KuinaExtractor has been quietly evolving for over six months, posing a serious and growing threat to users across multiple platforms.
Written in the Rust programming language, the malware targets browser data, cryptocurrency wallets, and credentials for popular services including Roblox, Steam, and Discord.
What makes this threat particularly concerning is how rapidly it has matured, moving from a rough early build to a polished, stealthy tool in a matter of months.
KuinaExtractor first appeared in December 2025 and has since gone through four distinct development stages, each adding new capabilities and deeper evasion techniques.
The malware’s author appears to be a Vietnamese-speaking developer, with Vietnamese-language text found throughout the code, including debug output and system messages.
A command-and-control panel hosted in Vietnam and the targeting of the Vietnamese CocCoc browser further support this assessment, though researchers note these are supporting signals rather than firm proof.
Analysts at ThreatRay identified and tracked KuinaExtractor across six months by comparing code similarities at the function level, allowing them to link dozens of samples into a single malware family.
According to ThreatRay report shared with Cyber Security News (CSN), the same markers appeared repeatedly across builds, including shared mutex names, build-host paths left inside binaries, and a consistent set of Telegram contact handles tied to the alias “Kuina,” which was later replaced by “k0to.”
The malware’s development path is unusually clear and deliberate. The earliest builds already included a Chrome App-Bound-Encryption bypass that impersonated a core Windows process to recover the browser’s master encryption key.
Exfiltration in those early versions ran through Discord webhooks, and GitHub was used both as a delivery host and as disposable remote infrastructure through GitHub Actions. That infrastructure role with GitHub remains active today.
By June 2026, the developer had rebranded the project under the name “k0to,” shifting focus from adding new features to hiding existing ones.
The latest build wraps its strings in 28-byte XOR encryption, ships its own certificate roots instead of relying on the system’s trusted store, and adds a sandbox check that scans PowerShell window titles for analyst tools.
These changes signal a clear move toward long-term stealth over rapid feature growth.
KuinaExtractor Uses Telegram Exfiltration, UAC Bypass, and Sandbox Detection
When KuinaExtractor was rebuilt in January 2026, exfiltration moved from Discord webhooks to a Telegram bot, giving the operator more control and making the traffic harder to flag.
At the same time, the single UAC bypass from the first build was replaced by a function-pointer table offering seven separate bypass techniques. This redundancy means the malware can try multiple privilege escalation paths if one is blocked.
The January rewrite also added extensive reconnaissance before any data theft began. Eight hardware queries using WMIC, WiFi network enumeration, a Windows Credential Manager dump, and victim IP geolocation all ran ahead of the main theft routine.
The malware also included a loop designed to disable Microsoft Defender. By March 2026, browser coverage had grown to around 40 applications, and the UAC bypass shifted to the SilentCleanup technique.
Parallel Experiments and Abandoned Projects
While developing the main stealer, the same operator ran two side projects that were later dropped. The first, KuinaCookieExtractor, targeted platforms including Minecraft, FileZilla, and Telegram session data, exfiltrating over Discord rather than Telegram.
It was visible for roughly two weeks. A second experiment called “Zenith” briefly appeared with a debug build that left detailed logs on the victim’s desktop, and a control panel at a Vietnamese IP address before being abandoned.
These experiments show an operator who tests ideas actively, then discards what does not fit the main plan. The consistent reuse of code markers, build usernames, and Telegram handles across all projects ties every experiment back to the same individual.
Security teams monitoring this family should treat any sample carrying these shared markers as part of the same threat actor’s activity, regardless of the name displayed in the binary.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 103.229.53[.]18:3000 | “Zenith Stealer” C2 panel hosted on Vietnamese AS135918 (Viet Digital Technology) |
| File Path | %USERPROFILE%\Desktop\zenith_debug.txt | Debug log file written by the Zenith experiment debug build |
| Mutex Name | Kuina_Intel(R) 82574L Gigabit Network Connection | Mutex used by the Zenith debug build, disguised as a network adapter name |
| Build Alias / Handle | kuina1999 | Operator handle found across multiple builds and experiments |
| Build Alias / Handle | k0to | New alias used in the June 2026 rebrand of KuinaExtractor |
| Sentinel Value | KUNA_UAC_BYPASS_ATTEMPTED | Custom sentinel used in KuinaCookieExtractor builds |
| IOC Repository | https://github.com/threatray/threat-research/tree/main/2026-06-25-KuinaExtractor | Full IOCs and YARA rules published by ThreatRay |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
