HackBrowserData
HackBrowserData is an open-source command-line browser data extraction utility used to decrypt and export data stored by popular browsers on Windows, macOS, and Linux. Across the provided reporting, it is consistently described as capable of collecting browser credentials and other browser-resident data, including passwords, cookies, history, credit card data, and related artifacts. Source-code analysis cited in the content indicates it reads predefined browser storage locations and targets fixed credential stores such as Chromium-family Login Data, Network Cookies, and Local State files, as well as Firefox files including cookies.sqlite, key3.db, key4.db, and logins.json.
The tool has been observed or assessed in multiple intrusion contexts. Reporting links its use to PRC-nexus UNC3569 supply-chain and post-compromise activity, where it was used alongside the custom SKYNEEDLE tool to collect browser data, Tencent QQ and WeChat data, system information, and screenshots. It is also described in attacks attributed to Iranian MuddyWater, where the Fooder loader can deploy HackBrowserData as part of a broader espionage toolchain. In BlackCat/ALPHV ransomware intrusions, Cisco Talos assessed that a tool named steal.exe may have been HackBrowserData or a variant. Microsoft also reported a modified HackBrowserData Mach-O FAT binary embedded in a newer XCSSET macOS campaign to steal Firefox data and exfiltrate the resulting archive to command-and-control infrastructure.
The content further places HackBrowserData in the broader ecosystem of credential theft and browser credential dumping under MITRE ATT&CK T1555. It is referenced alongside LaZagne as a commonly used open-source utility for stealing browser credentials, including in attacks against Taiwan critical infrastructure where advanced tools such as LaZagne and HackBrowserData were used to extract NTLM hash passwords. Detection guidance in the content emphasizes that command-line detections are brittle because attackers can modify the binary or rename it, while stronger behavioral detection focuses on unauthorized access to browser credential files. No standalone IOC set specific to HackBrowserData itself is provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The actor also used a powerful command-line tool, HackBrowserData, for decrypting and exporting browser data – it supports the most popular browsers on the market and can be run on Windows, macOS and Linux.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Credential Access
2 techniques
Credential Access
The attackers used their custom Golang-based tool, SKYNEEDLE, which is capable of collecting system data, stealing browser information (including Tencent QQ and WeChat data)... The actor also used... HackBrowserData... for decrypting and exporting browser data
Browser Credential Dumping - MITRE ATT&CK T1555 Browser Credential dumping is a technique adversaries use to steal credentials from your browsers... Malware such as Redline Stealer, Zaraza bot, and other info stealers have been actively targeting users and organizations to gain access to browser credentials.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An open-source tool used to collect browser data from multiple browsers except Safari.
Open-source browser data extraction tool repurposed/modified and delivered by XCSSET to collect and export Firefox data (e.g., passwords, history, credit cards, cookies) for exfiltration to C2.
An open-source browser credential extraction tool that reads known browser data paths to dump stored credentials, cookies, and related data.
Tool used to extract browser-stored credentials/data to enable credential theft and escalation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.