Target Files for Infostealers

Since the files targeted by infostealers on compromised machines share common characteristics, I have summarized them below.

AI

OpenClaw: %USERPROFILE%\.openclaw

Browser Credentials

Chromium-based Browsers

360browser: %LOCALAPPDATA%\360browser\Browser\User Data
Brave: %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data
CentBrowser: %LOCALAPPDATA%\CentBrowser\User Data
Chrome: %LOCALAPPDATA%\Google\Chrome\User Data
CocCoc Browser: %LOCALAPPDATA%\CocCoc\Browser\User Data
Edge: %LOCALAPPDATA%\Microsoft\Edge\User Data
Opera: %APPDATA%\Opera Software\Opera Stable
Opera GX: %APPDATA%\Opera Software\Opera Stable GX Stable
Vivaldi: %LOCALAPPDATA%\Vivaldi\User Data
Yandex: %LOCALAPPDATA%\Yandex\YandexBrowser\User Data

Each Chromium-based browser stores a significant amount of sensitive information within its corresponding profile directory. Infostealers selectively extract specific data from these locations, particularly the following:

Decryption key: Local State
Autofill data: Default\Web Data (SQL database)
Local Storage: Default\Local Storage\leveldb (LevelDB)
Session Storage: Default\Session Storage (LevelDB)
Browsing History: Default\History (SQL database)
Browser Extensions: Default\Local Extension Settings (LevelDB)

At the same time, browser-side protection mechanisms continue to improve. For example, Google Chrome has adopted App-Bound Encryption, making it significantly more difficult to steal credentials and cookies.

However, attackers attempt to bypass these protections by leveraging implementations such as Chrome App Bound Encryption Decryption, which demonstrate methods to circumvent App-Bound Encryption and recover protected data.

Browser Extension IDs

In Chromium-based browsers, the User Data\Default\Local Extension Settings directory contains ID-specific subdirectories corresponding to installed browser extensions. Infostealers target and exfiltrate the LevelDB data stored within each of these directories.

Authenticators

Aegis Authenticator: ppdjlkfkedmidmclhakfncpfdmdgmjpm
Authenticator: bhghoamapcdpbohphigoooaddinpkbai
Authy: gjffdbjndmcafeoehgdldobgjmlepcal
Duo Mobile: eidlicjlkaiefdbgmdepmmicpbggmhoj
EOS Authenticator: oeljdldpnmdbchonielidgobddffflal
FreeOTP: elokfmmmjbadpgdjmgglocapdckdcpkn
Google Authenticator: khcodhlfkpmhibicdjjblnkgimdepgnd
LastPass Authenticator: cfoajccjibkjhbdjnpkbananbejpkkjb
MEW CX: nlbmnnijcnlegkjjpcfjclmcfggfefdm
Microsoft Authenticator: bfbdnbpibgndpjfhonkflpkijfapmomn
OTP Auth: bobfejfdlhnabgglompioclndjejolch
Sollet: fhmfendgdocmcbmfikdcogofphimnkno

Crypto Wallets

Airbitz: ieedgmmkpkbiblijbbldefkomatsuahh
Atomic: bhmlbgebokamljgnceonbncdofmmkedg
BinanceChain: fhbohimaelbohpjbbldcngcnapndodjp
BitBox: ocmfilhakdbncmojmlbagpkjfbmeinbd
BRD: nbokbjkelpmlgflobbohapifnnenbjlh
Coin98: aeachknmefphepccionboohckonoeemg
Coinomi: blbpgcogcoohhngdjafgpoagcilicpjh
Copay: ieedgmmkpkbiblijbbldefkomatsuahh
Digital Bitbox: dbhklojmlkgmpihhdooibnmidfpeaing
Electrum: hieplnfojfccegoloniefimmbfjdgcgp
Exodus: idkppnahnmmggbmfkjhiakkbkdpnmnon
GreenAddress: gflpckpfdgcagnbdfafmibcmkadnlhpj
Guarda Wallet: fcglfhcjfpkgdppjbglknafgfffkelnm
iWallet: kncchdigobghenbbaddojjnnaogfppfj
Jaxx Liberty: mhonjhhcgphdphdjcdoeodfdliikapmj
KeepKey: dojmlmceifkfgkgeejemfciibjehhdcl
LastPass: gabedfkgnbglfbnplfpjddgfnbibkmbb
Keplr: dmkamcknogkgcdfhhbddcghachkejeap
Ledger Live: pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln
Ledger Wallet: hbpfjlflhnmkddbjdchbbifhllgmmhnm
MetaMask: nkbihfbeogaeaoehlefnkodbefgpgknn
Mycelium: pidhddgciaponoajdngciiemcflpnnbg
NeoLine: cphhlgmgameodnhkjdmkpanlelnlohao
OneKey: ilbbpajmiplgpehdikmejfemfklpkmke
Phantom: bfnaelmomeimhlpmgjnjophhpkkoljpa
Ronin: fnjhmkhhmkbjkkabndcnnogagogbneec
Samourai Wallet: apjdnokplgcjkejimjdfjnhmjlbpgkdi
Station Wallet: aiifbnbfobpmeekipheeijimdpnlpgpp
TezBox: mnfifefkajgofkcjkemidiaecocnkjeh
TronLink: ibnejdfjmmkpcnlpebklmnkoeoihofec
Trust Wallet: pknlccmneadmjbkollckpblgaaabameg
Wombat: amkmjjmmflddogmhpjloimipbofnfjih

Password Managers

Avira Password Manager: caljgklbbfbcjjanaijlacgncafpegll
Bitwarden: inljaljiffkdgmlndjkdiepghpolcpki
Browserpass: naepdomgkenhinolocfifgehidddafch
Dashlane: flikjlpgnpcjdienoojmgliechmmheek
KeePassXC: kgeohlebpjgcfiidfhhdlnnkhefajmca
Keeper: gofhklgdnbnpcdigdgkgfobhhghjmmkj
NordPass: njgnlkhcjgmjfnfahdmfkalpjcneebpl
Norton Password Manager: admmjipmmciaobhojoghlmleefbicajg
RoboForm: hppmchachflomkejbhofobganapojjol
Trezor Password Manager: imloifkgjagghnncjkhggdhalmcnfklk
Zoho Vault: igkpcodhieompeloncfnbekccinhapdb

Others

Splikity: jhfjfclepacoldmjmkmdlmganfaalklb
YubiKey: mammpjaaoinfelloncbbpomjcihbkmmc

Gecko-based Browsers

Firefox: %APPDATA%\Mozilla\Firefox\Profiles\<profile>

Gecko-based browsers are targeted through files stored within the profile directory, including cert9.db, key4.db, logins.json, cookies.sqlite, formhistory.sqlite, places.sqlite, sessionstore.jsonlz4, and storage\default\moz-extension+++.

In some cases, the entire profile directory is exfiltrated, and tools such as firefox_decrypt are used to extract stored credentials.

Chat Clients

Discord: %APPDATA%\discord
Telegram: %APPDATA%\Telegram Desktop\tdata

Crypto Wallets

Armory: %APPDATA%\Armory
Atomic: %APPDATA%\atomic
Binance: %APPDATA%\Binance
Bitcoin Core: %APPDATA%\Bitcoin\wallets
Coinomi: %LOCALAPPDATA%\Coinomi
Daedalus Mainnet: %APPDATA%\Daedalus Mainnet
Dash Core: %APPDATA%\DashCore
Dogecoin Core: %APPDATA%\Dogecoin
Electron Cash: %APPDATA%\Electron Cash
Electrum: %APPDATA%\Electrum
Electrum LTC: %APPDATA%\Electrum-LTC
Ethereum: %APPDATA%\Ethereum
Exodus: %APPDATA%\Exodus
JaxxClassic: %APPDATA%\Jaxx\Local Storage\leveldb
JaxxLiberty: %APPDATA%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Ledger Live: %APPDATA%\Ledger Live
Litecoin Core: %APPDATA%\Litcoin
Monero GUI: %USERPROFILE%\Documents\Monero\wallets
Raven Core: %APPDATA%\Raven
Wasabi Wallet: %APPDATA%\WalletWasabi\Client
Zcash: %APPDATA%\Zcash

Email Clients

Thunderbird: %APPDATA%\Thunderbird\Profiles

Game Clients

Steam: %ProgramFiles(x86)%\Steam