-
Notifications
You must be signed in to change notification settings - Fork 49
Home
A community detection knowledge base for BrowserSnatch, an open-source browser data extraction tool. Source repository: shaddy43/BrowserSnatch
BrowserSnatch is an open-source offensive-security tool that "snatches" saved passwords, cookies (including the latest v20 app-bound-encrypted cookies), bookmarks, and browsing history from 40+ Chromium and Gecko-based browsers on Windows. It is intended for authorized penetration testing and red teaming activities but like any dual-use info-stealer, it can be abused.
This wiki gives blue teams, threat hunters, and detection engineers a ready-to-deploy detection package: Sigma rules, YARA rules, Detection Queries and Hunts, IOCs, and MITRE ATT&CK mappings, all in one browsable place.
⚠️ Purpose & ethics. Everything here is for defensive use: detection engineering, threat hunting, and security research. It contains no offensive instructions, payloads, or new capabilities. This wiki contains only signatures and indicators for detecting the tool.
Like any open-source tool, BrowserSnatch has also been reportedly abused in different malware campaigns and families. Source code of BrowserSnatch has been detected in following malware families:
Olymp Loader:
- https://outpost24.com/blog/olymp-loader-a-new-malware-as-a-service/
- https://www.picussecurity.com/resource/blog/olymp-loader-emerging-malware-as-a-service-threat-in-2025
Venom Stealer:
BrowserSnatch Family: The code-base has been reused in so many campaigns that BrowserSnatch is treated as Malware family
- https://tria.ge/s/family:browsersnatch
- https://www.virustotal.com/gui/search?query=browsersnatch
- https://any.run/report/f2904531e1bcbc208e1f3dafc5a1c9c2be65ac8ca0853f2af3e19b778bd51c81/46c4e5b1-f91a-4872-b1fe-5f019d83c6bc
- https://hybrid-analysis.com/search?query=browsersnatch
| Page | Contents |
|---|---|
| Tool Overview | What the tool is, versions, capabilities, repo structure |
| MITRE ATT&CK Mapping | TTP coverage |
| Indicators of Compromise (IOCs) | Files, strings, dropped/masquerade artifacts, network |
| Behavioral Detections | Commandline patterns, process/file behavior, event IDs |
| Sigma Rules | Deployable Sigma detections |
| YARA Rules | Binary detection signatures |
| Hunting Queries (KQL & Splunk etc) | Threat-hunting queries |
| Detection Coverage Matrix | Behavior → rule mapping, telemetry needs |
| Validation & Lab Testing | How to safely validate these detections |
| Contributing | How the community can improve this wiki |
-
Highest-confidence, near-zero-false-positive IOCs:
- Author string
shaddy43in the binary and as a Scheduled Task<Author> - Creation of
C:\Users\Public\NTUSER.dat(no legitimate use) - A binary named
chrome.exe/msedge.exe/brave.exethat is unsigned or signed by the wrong vendor
- Author string
- Deploy the Sigma Rules and YARA Rule into your SIEM/EDR.
- Hunt retroactively with the detection queries.
- Validate in a lab using the testing guide before trusting production alerts.
| Attribute | Detail |
|---|---|
| Tool type | Open-source red-team / dual-use info-stealer |
| Primary function | Browser credential, cookies, bookmark & history theft (40+ browsers) |
| Author | shaddy43 |
| Platform | Windows x86 / x64 |
| Language | C / C++ |
| License | MIT |
| Primary ATT&CK | T1555.003, T1539, T1053.005, T1036.005, T1074.001 |
| Risk | HIGH - freely available, small footprint, v20 app-bound decryption, persistence + masquerading |
Maintained by the cybersecurity community. Contributions welcome, see Contributing. This wiki is affiliated with tools Author himself.
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations