DotStealer — Telegram-Centric Information Stealer / Malware-as-a-Service Offering

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Malware / Information Stealer / MaaS-like builder offering - Origin: Unknown; likely transnational cybercrime ecosystem with operator-facing channels tied to @shinyenigma

Author: iQBlack CTI Team

Executive Summary

DotStealer is an information-stealing malware family positioned closer to an operator-friendly commercial stealer/builder than to a one-off commodity sample. Public reporting from 2024 onward describes a Windows-focused stealer that collects browser credentials, cookies, credit-card data, local files, and system information, and that exfiltrates the resulting data through Telegram infrastructure. More recent public traces suggest the family evolved into “DotStealer 2.0/2.1”, adding richer surveillance and operator conveniences such as panel support, app-bound browser key handling, camera/audio capture claims, and cloud-assisted delivery or upload patterns.

The most stable narrative thread is not a tightly documented victim campaign but an ecosystem one: DotStealer appears marketed and maintained in public-facing infrastructure associated with the handle @shinyenigma, with adjacent overlap into the Millenium RAT ecosystem. This makes DotStealer relevant not only as a malware family but as a commercialized access-and-data-theft capability that lowers the barrier for less sophisticated operators. Confidence is medium overall because the public footprint is meaningful but still thinner than for older, more heavily tracked stealers.