Carboy Stealer v2.0: Payload Builder + C2 server + Logs viewer

[Remio]

Carboy Stealer v2.0: Payload Builder + C2 server + Logs viewer



Covert data exfiltration toolkit for modern Windows systems. Written in C++ with no dependencies, optimized for stealth and minimal footprint. Comes preconfigured with a default target set focused on crypto data and wallet extractions. It scans for desktop and browser-based wallets, hardware wallet suites, browser profiles, crypto extensions, developer credentials, password manager vaults, and user documents containing relevant keywords. Default targets include common paths like wallet.dat, keystore files, browser IndexedDB, and extension storage. Ton of features - too many to list to contact me for more info.

V2.0 brings improved modularity, memory handling, and payload functionality.

Summary of Key Features  

Code:

- Configurable file and directory targeting for flexible extraction  
- Real-time monitoring and batch encryption with a default threshold of 50 files  
- Hybrid encryption using Curve25519 ECDH and Salsa20 symmetric cipher  
- Unique ephemeral key pairs per archive to guarantee forward secrecy  
- Compact encrypted file format with only 72 bytes of overhead per archive  
- Single-stage exfiltration session with sequential upload of encrypted archives  
- Immediate deletion of local encrypted files following successful transfer  
- Thorough 3-pass cleanup to eliminate residual artifacts post-operation  

Summary of Default Targets  

Code:

- Desktop Wallets: Sparrow, Electrum, Exodus, Bitcoin Core, Wasabi, Samourai, BlueWallet, Atomic, Jaxx, Coinomi, MyEtherWallet, Guarda, Edge, Copay, Bread  
- Browser-Based Wallets & Extensions: MetaMask, Trust Wallet (browser), Phantom, Solflare, Rabby, Nifty Wallet, Frame, Tally Ho, Coinbase Wallet (ext), Binance Wallet, MEW CX, Brave Wallet  
- Hardware Wallet Suites: Ledger Live, Trezor Suite, KeepKey, BitBoxApp, SafePal, NGRAVE, Coldcard  
- Supported File Types/Dirs: wallet.dat, *.ldb, *.log, keystore, keyfile, *.bin, *.wallet, seed.txt, recovery.txt, config.json, manifest.json, Local Extension Storage, browser IndexedDB  
- Keywords: wallet, seed, mnemonic, private key, recovery phrase, backup, master key, keystore, phrase, address, secret key  
- Targeted Browsers: Chrome, Firefox, Edge, Brave, Opera, Vivaldi, Chromium (Chromium- and Gecko-based). Extracts profiles, sessions, autofill, cookies, passwords.  
- Key Data Paths: Login Data, Cookies, Web Data, History, Sessions, Bookmarks, Autofill, Local Storage, IndexedDB, Extensions  
- Crypto-Related Extensions: MetaMask, Phantom, Rabby, Binance Wallet, Coinbase Wallet, Trust Wallet, 1inch, MEW CX, Tally Ho  
- SSH/FTP/Cloud Configs: .ssh/id_rsa, .ssh/known_hosts, .aws/credentials, .azure, gcloud, .kube/config, .npmrc, .docker/config.json, .netrc, .git-credentials  
- Remote Access Clients: FileZilla, WinSCP, PuTTY, Termius, MobaXterm, Cyberduck, Transmit, Xshell, SecureCRT  
- Password Manager Targets: 1Password, Bitwarden, Dashlane, Keeper, LastPass, RoboForm, KeePass, KeePassXC, MacPass  
- Password Vault File Types: *.kdbx, *.key, *.csv, Vault, db.sqlite, browser extension local storage  
- User Document Extensions: .txt, .doc, .docx, .pdf, .xls, .xlsx, .json, .csv, .xml, .ini  
- Keyword Filters: seed, mnemonic, wallet, private key, recovery, passphrase, crypto, btc, eth, binance, keystore, password, token, secret, phrase, ledger, trezor, trustwallet, exchange  

 

PM for more information + updated datasheet. 

- Remy

[mitchbrasko]

ff,rlofopklermkfpdioejmk

[mihiyo]

i gonna look this :)

[Hello566]

l...lklk.l