KuinaExtractor Uses Telegram Exfiltration, UAC Bypass, and Sandbox Detection for Stealth

HomeCyber Security News KuinaExtractor Uses Telegram Exfiltration, UAC Bypass, and Sandbox Detection for Stealth By Tushar Subhra Dutta June 26, 2026 A newly uncovered infostealer called KuinaExtractor has been quietly evolving for over six months, posing a serious and growing threat to users across multiple platforms. Written in the Rust programming language, the malware targets browser data, cryptocurrency wallets, and credentials for popular services including Roblox, Steam, and Discord. What makes this threat particularly concerning is how rapidly it has matured, moving from a rough early build to a polished, stealthy tool in a matter of months. KuinaExtractor first appeared in December 2025 and has since gone through four distinct development stages, each adding new capabilities and deeper evasion techniques. The malware’s author appears to be a Vietnamese-speaking developer, with Vietnamese-language text found throughout the code, including debug output and system messages. A command-and-control panel hosted in Vietnam and the targeting of the Vietnamese CocCoc browser further support this assessment, though researchers note these are supporting signals rather than firm proof. Analysts at ThreatRay identified and tracked KuinaExtractor across six months by comparing code similarities at the function level, allowing them to link dozens of samples into a single malware family. According to ThreatRay report shared with Cyber Security News (CSN), the same markers appeared repeatedly across builds, including shared mutex names, build-host paths left inside binaries, and a consistent set of Telegram contact handles tied to the alias “Kuina,” which was later replaced by “k0to.” The malware’s development path is unusually clear and deliberate. The earliest builds already included a Chrome App-Bound-Encryption bypass that impersonated a core Windows process to recover the browser’s master encryption key. Exfiltration in those early versions ran through Discord webhooks, and GitHub was used both as a delivery host and as disposable remote infrastructure through GitHub Actions. That infrastructure role with GitHub remains active today. Six months of development (Source – ThreatRaay) By June 2026, the developer had rebranded the project under the name “k0to,” shifting focus from adding new features to hiding existing ones. The latest build wraps its strings in 28-byte XOR encryption, ships its own certificate roots instead of relying on the system’s trusted store, and adds a sandbox check that scans PowerShell window titles for analyst tools. These changes signal a clear move toward long-term stealth over rapid feature growth. KuinaExtractor Uses Telegram Exfiltration, UAC Bypass, and Sandbox Detection When KuinaExtractor was rebuilt in January 2026, exfiltration moved from Discord webhooks to a Telegram bot, giving the operator more control and making the traffic harder to flag. At the same time, the single UAC bypass from the first build was replaced by a function-pointer table offering seven separate bypass techniques. This redundancy means the malware can try multiple privilege escalation paths if one is blocked. The January rewrite also added extensive reconnaissance before any data theft began. Eight hardware queries using WMIC, WiFi network enumeration, a Windows Credential Manager dump, and victim IP geolocation all ran ahead of the main theft routine. The malware also included a loop designed to disable Microsoft Defender. By March 2026, browser coverage had grown to around 40 applications, and the UAC bypass shifted to the SilentCleanup technique. Parallel Experiments and Abandoned Projects While developing the main stealer, the same operator ran two side projects that were later dropped. The first, KuinaCookieExtractor, targeted platforms including Minecraft, FileZilla, and Telegram session data, exfiltrating over Discord rather than Telegram. It was visible for roughly two weeks. A second experiment called “Zenith” briefly appeared with a debug build that left detailed logs on the victim’s desktop, and a control panel at a Vietnamese IP address before being abandoned. These experiments show an operator who tests ideas actively, then discards what does not fit the main plan. The consistent reuse of code markers, build usernames, and Telegram handles across all projects ties every experiment back to the same individual. Security teams monitoring this family should treat any sample carrying these shared markers as part of the same threat actor’s activity, regardless of the name displayed in the binary. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 103.229.53[.]18:3000 “Zenith Stealer” C2 panel hosted on Vietnamese AS135918 (Viet Digital Technology) File Path %USERPROFILE%\Desktop\zenith_debug.txt Debug log file written by the Zenith experiment debug build Mutex Name Kuina_Intel(R) 82574L Gigabit Network Connection Mutex used by the Zenith debug build, disguised as a network adapter name Build Alias / Handle kuina1999 Operator handle found across multiple builds and experiments Build Alias / Handle k0to New alias used in the June 2026 rebrand of KuinaExtractor Sentinel Value KUNA_UAC_BYPASS_ATTEMPTED Custom sentinel used in KuinaCookieExtractor builds IOC Repository https://github.com/threatray/threat-research/tree/main/2026-06-25-KuinaExtractor Full IOCs and YARA rules published by ThreatRay Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News CL-STA-1062 Hackers Use TinyRCT Backdoor to Target Southeast Asian Governments Miasma Malware Uses binding.gyp and Bun to Execute Hidden Payloads in npm Packages Rust macOS Backdoor Uses Interactive Shell and Telegram File Uploads for Data Theft Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to File Deletion Attacks Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors Latest News Cyber Security News Miasma Malware Uses binding.gyp and Bun to Execute Hidden Payloads in npm Packages Cyber Security News Minecraft Malware Loader Uses RSA-Signed Smart Contract Updates for Persistent C2 Cyber Security CISA Warns of Cisco Unified CM Vulnerability Exploited in Attacks Cyber Security Microsoft Extends Windows 10 Security Updates for Users Up to October 2027 Cyber Security OpenAI Reportedly Delays ChatGPT 5.6 Release Following Trump Administration Request