Modifications to Software\Microsoft\Windows\CurrentVersion\Run to ensure the stealer runs on reboot. Remediation Steps If you have executed this file:
The malware communicates with a remote server using encrypted HTTP POST requests. It sends a compressed .zip or .7z file containing the stolen data to the attacker’s C2 infrastructure. gavnosource.rar
Exfiltration of browser credentials, cryptocurrency wallets, session cookies, and system metadata. Command & Control (C2) Communication "Gavno" is a
Captures Discord tokens, Telegram session files, and Steam credentials to bypass 2FA by using active sessions. 4. Command & Control (C2) Communication sandboxes (like Any.run)
"Gavno" is a Slavic term (Russian/Ukrainian) for "garbage" or "sh*t," often used ironically in underground circles to label low-effort or leaked "junk" code. Infection Chain & Technical Analysis 1. Initial Access
It checks for the presence of debuggers, sandboxes (like Any.run), or Virtual Machines (VMWare/VirtualBox). If detected, it may terminate or execute "junk code" to waste analysis time.
The file is a widely discussed malware sample within the cybersecurity community, primarily recognized as a variant of the Lumma Stealer (an Information Stealer) distributed through social engineering campaigns targeting developers and gamers. Executive Summary Malware Type: InfoStealer (Lumma variant)
