Infostealers are among the most profitable malware for cybercriminals.

It is a reality that cybercriminals generally prefer tried and tested recipes for intercepting information and data that they already know work.

However, even though infostealers are considered tried and tested and proven effective, these software programs continue to evolve.

From Sharp Stealer to Sharpil RAT

The most recent infostealer is Sharp Stealer, and its newest version is Sharpil RAT.

It is an unencrypted .NET application written in C#, runs in the background, and immediately attempts to connect to a Telegram bot.

This bot communicates with the attacker and sends commands to collect information such as:

  • System information
  • Information about installed browsers (such as Chrome, Yandex, Brave, Edge, etc.) and the
  • Geographic location of the victim.

It uses the ParseLastMessage method to read JSON from the Telegram API and extract the last command.

RAT or just a sophisticated stealer?

Although Sharpil RAT is classified as a RAT (Remote Access Trojan) , its function is closer to a stealer, as it does not provide full remote control of the system, but mainly data extraction.

Its self-proclaimed creator sells Sharp Stealer for $10 (rental) or $30 (permanent license) , claiming it is a lightweight .NET application that sends data directly to the Telegram bot, without using a server.

More Advanced Versions Are Already Being Detected

Malware was detected on VirusTotal that shares the same code and style as Sharpil RAT, but with additional capabilities :

  • Encryption with the Bcrypt library
  • Renaming variables to hide functionality
  • Expanded data collection, such as:
    • System Information & Browsers
    • Discord tokens, email, and payments
    • Gaming accounts (Epic Games, Steam, Roblox, Ubisoft, Minecraft, VimeWorld)
    • Messengers (Telegram, Viber)
    • VPN clients (CyberGhost, ProtonVPN, NordVPN, etc.)
    • Crypto wallets
    • FTP clients (FileZilla, Total Commander)

The data is archived in a ZIP file and sent to Telegram.

Conclusion

The Sharp Project has not yet gained widespread popularity, does not show significant activity on darknet forums, and does not include mechanisms for hiding from antivirus or sandbox environments.

It is still young and immature, but if it continues to evolve, we may see it spread in the future.