Skip to content
shaddy43 edited this page Jul 16, 2026 · 4 revisions

BrowserSnatch - Detection & Threat Intelligence Wiki

A community detection knowledge base for BrowserSnatch, an open-source browser data extraction tool. Source repository: shaddy43/BrowserSnatch


What is this?

BrowserSnatch is an open-source offensive-security tool that "snatches" saved passwords, cookies (including the latest v20 app-bound-encrypted cookies), bookmarks, and browsing history from 40+ Chromium and Gecko-based browsers on Windows. It is intended for authorized penetration testing and red teaming activities but like any dual-use info-stealer, it can be abused.

This wiki gives blue teams, threat hunters, and detection engineers a ready-to-deploy detection package: Sigma rules, YARA rules, Detection Queries and Hunts, IOCs, and MITRE ATT&CK mappings, all in one browsable place.

⚠️ Purpose & ethics. Everything here is for defensive use: detection engineering, threat hunting, and security research. It contains no offensive instructions, payloads, or new capabilities. This wiki contains only signatures and indicators for detecting the tool.


Known Misuse!

Like any open-source tool, BrowserSnatch has also been reportedly abused in different malware campaigns and families. Source code of BrowserSnatch has been detected in following malware families:

Olymp Loader:

  1. https://outpost24.com/blog/olymp-loader-a-new-malware-as-a-service/
  2. https://www.picussecurity.com/resource/blog/olymp-loader-emerging-malware-as-a-service-threat-in-2025

Venom Stealer:

  1. https://tria.ge/260324-n3fvesfx2t
  2. https://tria.ge/260323-kbss5aex4z

BrowserSnatch Family: The code-base has been reused in so many campaigns that BrowserSnatch is treated as Malware family

  1. https://tria.ge/s/family:browsersnatch
  2. https://www.virustotal.com/gui/search?query=browsersnatch
  3. https://any.run/report/f2904531e1bcbc208e1f3dafc5a1c9c2be65ac8ca0853f2af3e19b778bd51c81/46c4e5b1-f91a-4872-b1fe-5f019d83c6bc
  4. https://hybrid-analysis.com/search?query=browsersnatch

Navigation

Page Contents
Tool Overview What the tool is, versions, capabilities, repo structure
MITRE ATT&CK Mapping TTP coverage
Indicators of Compromise (IOCs) Files, strings, dropped/masquerade artifacts, network
Behavioral Detections Commandline patterns, process/file behavior, event IDs
Sigma Rules Deployable Sigma detections
YARA Rules Binary detection signatures
Hunting Queries (KQL & Splunk etc) Threat-hunting queries
Detection Coverage Matrix Behavior → rule mapping, telemetry needs
Validation & Lab Testing How to safely validate these detections
Contributing How the community can improve this wiki

Quick-start for defenders

  1. Highest-confidence, near-zero-false-positive IOCs:
    • Author string shaddy43 in the binary and as a Scheduled Task <Author>
    • Creation of C:\Users\Public\NTUSER.dat (no legitimate use)
    • A binary named chrome.exe / msedge.exe / brave.exe that is unsigned or signed by the wrong vendor
  2. Deploy the Sigma Rules and YARA Rule into your SIEM/EDR.
  3. Hunt retroactively with the detection queries.
  4. Validate in a lab using the testing guide before trusting production alerts.

At a glance

Attribute Detail
Tool type Open-source red-team / dual-use info-stealer
Primary function Browser credential, cookies, bookmark & history theft (40+ browsers)
Author shaddy43
Platform Windows x86 / x64
Language C / C++
License MIT
Primary ATT&CK T1555.003, T1539, T1053.005, T1036.005, T1074.001
Risk HIGH - freely available, small footprint, v20 app-bound decryption, persistence + masquerading

Maintained by the cybersecurity community. Contributions welcome, see Contributing. This wiki is affiliated with tools Author himself.

Clone this wiki locally