Validation can come from the most unexpected places—like malware code. Meet Celestial Stealer, a sneaky infostealer malware designed to swipe sensitive information. But when it spots a suspicious name, it hits the brakes and shuts itself down. One of those names is Huntress’ own Jai Minton. It’s the ultimate hacker shoutout.
Trellix recently published a detailed breakdown of Celestial Stealer, a JavaScript-based infostealer advertised on Telegram. Just like subscription services that keep you stocked with the basics—like shampoo or coffee pods—you can buy a subscription to the Celestial Stealer Malware-as-a-Service (MaaS) that gives you a weekly, monthly, or lifetime license to use the malware. This means even unskilled hackers can purchase and use this infostealer, which is updated periodically to stay as stealthy and evasive as possible.
As a quick recap, infostealers are malware designed to gather sensitive data from infected systems and send it back to the attacker. Typical targets for infostealers are credentials used in online services, cryptocurrency wallets, and files that may be of interest.
Figure 1: Screenshot of Jai’s post on X showing the name check code.
In the underground market for infostealers, the bottom line is determined by how easily and consistently information can be stolen from victims’ machines. Success depends on whether the infostealer can consistently dodge detection engines and threat hunters (which isn’t easy).
Celestial Stealer is purposefully layered with anti-virtual machine (anti-VM) and anti-analysis techniques to detect when it runs on a machine that isn’t a legitimate victim’s endpoint. These anti-VM techniques are designed to hinder researchers from uncovering the true nature of a malicious payload and can make detection even more difficult. Plus, if the malware is run in a sandbox, the likelihood of anything useful coming from this machine is minimal.
According to Trellix security researchers, JavaScript infostealers like Celestial Stealer use advanced obfuscation techniques and can be disguised as standalone Electron or NodeJS applications. Threat actors know they must constantly pivot and change technical evasion tactics to stay in business.
Threat actors know our technical expertise at Huntress is backed by formidable opponents, and Celestial Stealer is clear proof of this. One of the many anti-analysis layers baked in is a list of specific usernames and computer names. Everything noted on this list are indicators that the malware may be being analyzed, which poses a detection risk to Celestial Stealer when it runs on endpoints. In fact, upon detection of these names, Celestial Stealer immediately terminates to avoid detection and defenders’ reverse engineering efforts.
We consider it a major badge of honor that one of our security researchers, Jai Minton, made this list.
Figure 2: Partial list of user and computer names to avoid, including Jai’s name and handle.
To break down what this means, every time Celestial Stealer runs in the wild on a victim's machine, it looks for Jai Minton as a potential threat and, if found, would shut down the infostealer operation. Celestial Stealer skips over machines when it comes to stealing sensitive data—like browser passwords, cookies, saved credit card info, or crypto wallets—if the username or computername is “Jai Minton” or his online alias, “cyberraiju."
This is huge. Take our word for it. This is the ultimate kudos to the good guys.
Reference:
Trellix, "Anatomy of Celestial Stealer: Malware-as-a-Service Revealed”
Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
