Someone is distributing malware disguised as a beta invite for a real indie game. The dropper calls itself CyveraVPN. The package.json buried inside it calls itself a “Beta Of Exonautis.” Exonautis is a legitimate space shooter currently in free demo on Steam, developed by a small studio called BaleYc Studios. The game is real, the studio is real, and neither of them have anything to do with this campaign (afaik).

What they do have is obscurity — real enough to be credible as a beta, unknown enough that a victim can’t easily verify it. That’s the angle.

This post covers the full attack chain: from the fake installer, through two layers of JavaScript obfuscation, to the decrypted GenesisStealer payload underneath. We’ll also look at what makes this campaign trackable — a single builder fingerprint that links several different fake software droppers together. Good for hunting this malware family.

The Sample

#

The initial file is CyveraVPN Setup 2.1.1.exe — an 84MB NSIS installer. On execution, it presents a VPN installer UI while silently deploying a Node.js/Electron application containing the actual malware.

Whats inside?

#

NSIS installers are essentially self-extracting archives. Cracking this one open with 7z reveals the structure:

CyveraVPN Setup 2.1.1.exe
│  PE32, NSIS self-extracting archive, 88.7 MB
│
└── Electron ASAR bundle
    └── a825f8018d7071c1.js   ← the real entry point
        │  721 KB of obfuscated JavaScript
        │  Looks like gibberish. It isn't.
        │
        └── [AES-256-CBC encrypted blob]
            └── genesis_final.js   ← the stealer
                │  479 KB decrypted, still obfuscated
                │
                ├── python_firefox_nss3_decrypt.py   (embedded)
                └── python_chrome_lsass_decrypt.py   (embedded)

The outer shell is an Electron app — a Chromium browser bundled with Node.js, dressed up as a VPN client. The package.json inside gives the game away immediately:

“Beta Of Exonautis.” This is a commercial stealer platform. The VPN is the lure. The product is your credentials.

Stage 1: Cracking the Loader

#

The main JS file (a825f8018d7071c1.js) uses a classic obfuscation technique: every string in the code goes through a rotated lookup array called vkAskC. Before any logic runs, the array is rotated 9 positions so all indexes shift. The actual strings are never visible in source — you only see index numbers.

After decoding the array, the loader does one thing: decrypt the real payload.

crypto.pbkdf2Sync(
  '8X9+CehDwyGExpfoGWcausHkyQJp13p+',  // hardcoded password
  Buffer.from('f20e04286bbff3d4a73df7a44f843c3c', 'hex'),  // hardcoded salt
  100000,    // iterations
  32,        // key length
  'sha512'
);
// Derived key: ccd293d10f2251f7508ef6f41c2634db01b94225f33e8113a0c20421b7de558a
// IV:          12bd438e2e1a651e236548e32152c0f5

crypto.createDecipheriv('aes-256-cbc', derivedKey, iv);

PBKDF2-SHA512, 100,000 iterations, AES-256-CBC. The key and IV are hardcoded. We captured them at runtime by hooking crypto.pbkdf2Sync and crypto.createDecipheriv.

Decrypted Parameters

Password:    8X9+CehDwyGExpfoGWcausHkyQJp13p+
Salt:        8g4EKGu/89SnPfekT4Q8PA==
IV:          Er1Dji4aZR4jZUjjIVLA9Q==
Derived key: ccd293d10f2251f7508ef6f41c2634db01b94225f33e8113a0c20421b7de558a
Algorithm:   AES-256-CBC / PBKDF2-SHA512 / 100,000 iterations

Stage 2: The GenesisStealer Payload

#

The decrypted payload is a 479KB of JavaScript, still obfuscated, this time with a 1373-entry string array called R3CAfF. Same technique, bigger scale. Every console.log, every file path, every API call is hidden behind an index lookup.

Once you decode the array, the stealer’s capabilities become obvious from its npm dependencies alone:

The Attack, Step by Step

#

1. Dig In, Persistence & Defense Evasion

#

Before stealing anything, Genesis makes itself at home. It drops a VBScript into the Windows Startup folder:

0 = hidden window. False = don’t wait. Every time the machine boots, the fake VPN re-runs silently.

Then it goes after Windows Defender:

And disable UAC:

Then kills antivirus processes by name — Avira, AVG, ESET NOD32, Bitdefender, Kaspersky, McAfee, Norton, Sophos, Avast. It runs tasklist first, checks what’s running, then fires taskkill /F /IM at whatever it finds.

2. The Cookie Problem (And Its Very Thorough Solution)

#

Stealing browser cookies sounds simple. It wasn’t, because Google rolled out App-Bound Encryption in Chrome v127 — cookies are now encrypted using a key that’s bound to the browser process via DPAPI-NG. A regular process can’t read them.

Genesis ships two separate Python scripts to handle this, one per browser engine. They’re embedded as string literals inside the JS and written to disk at runtime.

Script 1 — Firefox (python_firefox_nss3_decrypt.py, 6.3 KB):

Loads nss3.dll directly via ctypes and calls PK11SDR_Decrypt — Firefox’s own internal decryption function. No keys needed; NSS handles it.

NSS_Init(profile_path.encode())
PK11SDR_Decrypt(ct.byref(inp), ct.byref(out), None)

Script 2 — Chrome/Brave/Edge (python_chrome_lsass_decrypt.py, 25 KB):

This one is more aggressive. It impersonates the LSASS process to obtain a system-level security token, then uses that token to decrypt Chrome’s app-bound encryption key.

Under the LSASS token, it decrypts the browser key and then reads cookies using both AES-256-GCM and ChaCha20-Poly1305 depending on Chrome version.

For Opera GX, Genesis uses a different approach entirely — it launches Opera with remote debugging enabled, connects via WebSocket to the Chrome DevTools Protocol, and calls Network.getAllCookies directly:

http://127.0.0.1:[port]/json  →  WebSocket  →  Network.getAllCookies

15 browsers total: Chrome, Edge, Brave, Opera, Opera GX, Yandex, Vivaldi, Iridium, Sputnik, Epic Privacy, Uran, Kometa, Orbitum, CentBrowser, 7Star. Plus Firefox and Waterfox via NSS3.

3. Credentials, Wallets, Sessions

#

Beyond cookies, Genesis goes after everything:

Browsers — Login Data SQLite DB for passwords:

SELECT origin_url, username_value, password_value FROM logins

MetaMask — reads the extension’s Local Extension Settings folder directly from the Chrome profile.

Exodus — copies the entire %APPDATA%\Exodus\ directory.

Discord — extracts tokens from LevelDB logs, then hits the billing endpoint:

fetch('https://discord.com/api/v9/users/@me/billing/payment-sources', {
  headers: { Authorization: token }
});

It wants your token, your badges, your nitro status, your payment methods, and your guild list.

Steam — kills steam.exe, copies session files, then verifies the account is real against the Steam Web API using a hardcoded key: 440D7F4D810EF9298D25EDDF37C1F902.

Roblox — extracts .ROBLOSECURITY from every browser, then queries the Roblox economy API for the Robux balance. It wants to know how much your account is worth before selling it.

Telegram — taskkill /F /IM Telegram.exe, then copies user_data/ and media_cache/.

Minecraft — copies .minecraft/ settings. And checks the Minecraft skin API at mc-heads.net/skin/ — likely to verify the account has a paid skin (premium account).

WiFi — netsh wlan show profiles on every saved network. Gets SSIDs and passwords.

4. Exfiltration

#

Everything gets zipped and sent to a cascade of endpoints, tried in order until one succeeds:

1. Cloudflare R2 (S3 putObject)
   └── 227efc002310e6abf829b4c6a393bd4a.r2.cloudflarestorage.com
       AWS Key:    ca2f23ad3117cebfc519bd3833f11a70
       AWS Secret: 92da241abc8ded3afc1a716bc2072e2b71728b1599a2e9a601b81c849117e178

2. kalygenesis.xyz/uploads/        ← operator's own file host

3. api.gofile.io/uploadFile         ← public file sharing

4. tmpfiles.org/api/v1/             ← public temporary storage

After upload, the download link gets posted to one of two Discord webhooks — formatted as a rich embed with the victim’s system info, account details, and a clickable download link.

The Bigger Picture: One Builder, Several Faces

#

This is where it gets interesting from a threat intelligence perspective.

Searching MalwareBazaar for the GenesisStealer family returns a list of droppers that all look different but are actually identical under the hood.

All of them are ~88MB PE32 NSIS installers. All of them share the same imphash: b34f154ec913d2d2c435cbd644e91687. The table below is shows that all GenesisStealer malware found in MalwareBazaar have the same imphash value. Shout out to burger for uploading the samples.

What is imphash?

#

It’s an MD5 hash computed from a PE file’s import table — the ordered list of DLLs and functions the binary imports. Think of it as a fingerprint of how a program was compiled and linked, independent of what payload it carries. Two executables built from the same source code with the same dependencies will share an imphash even if their contents differ completely.

This matters because it means the actor can swap lure names, embed different payloads, and repackage the installer as many times as they want — but the imphash stays the same until they rewrite the builder. That’s a clusterable, pivotable indicator that survives all the cosmetic changes.

The 2.1.1 version string is another leak. It appears hardcoded across most dropper names and in package.json — it’s the builder version, not the impersonated software’s version number. The actor forgot (or didn’t care) to strip it.

Who Made This?

#

The code doesn’t leave many obvious fingerprints, but it leaves enough.

The brand: The platform is called Exonautis, built by BaleYc Studios. The stealer component is marketed as Genesis. The Telegram channel t.me/genesisproj is the public sales front. The C2 is api.genesishaha.fun.

The language: The console log messages inside the stealer are written in three languages — and the mix is telling.

• French (dominant): Recherche d'Exodus..., wallet(s) trouvé(s), Tentative d'upload sur Gofile, lors de la création du ZIP. These are the operator’s own debug/status messages.
• Portuguese: Nenhum cookie encontrado, Nenhum navegador válido encontrado. These come from a borrowed browser extraction module — likely copy-pasted from a Brazilian open-source stealer.
• Spanish: Iniciando proceso. One borrowed string from yet another module.

The French is native. The rest is copy-paste.

The targets: Discord tokens, Roblox Robux, Steam accounts, Minecraft skins, crypto wallets. This is squarely aimed at the gaming community — a well-established target profile for francophone West African cybercrime groups, who run large-scale Discord account theft and resale operations.

The OPSEC: Mixed. The JS obfuscation is thorough — two layers, 1,373-entry string arrays, fragmented strings. But the AWS credentials, Steam API key, and Discord webhooks are all hardcoded in plaintext inside the payload. Either the operator is confident the payload won’t be extracted, or they’re sloppy with credential rotation. Possibly both.

Attribution confidence: LOW-MEDIUM. French-speaking, gaming-focused MaaS operator. No confirmed identity. The t.me/genesisproj channel is the best lead for tracking activity.

IOCs

#

File Hashes (Sha256)

#

Domains

#

URLs

#

https://discord[.]com/api/webhooks/1410035164033323029/DlLUhHp0TRyB1xvzeobaPCYP5ehH93734w9AADTDCeazBJ2m-pzJ-1Jb8wLM3BhPT8t1 Discord Webhook
https://discord[.]com/api/webhooks/1471177394457935995/BzNVHWw2ZLYtaBrbCHf2QY9Snd5UnkeK3LpzYe4r05fLnmi9eAUijaqLWVEgLIov2yf2 Discord Webhook