Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Arkei

Arkei is a Windows information-stealing trojan/password stealer (PSW) referenced as an older commodity stealer whose source code was later sold on forums and reused by other malware families. The content directly links Arkei to credential theft from Chromium-based browsers, including code for decrypting data obtained from Chromium browsers, and places it in the broader stealer category that harvests browser passwords, cookies, payment data, files, and system information. Arkei is also noted as malware that has used XLL files as an infection vector. The same developer was reportedly behind both Arkei and Nocturnal, according to sellers cited in the content. Arkei is especially significant as the code base for later stealers: Vidar is explicitly described as a copycat or fork of Arkei, developed from Arkei source code, and subsequent Arkei-based variants include Oski Stealer and Mars Stealer. The content also states that RETADUP has been observed distributing the Arkei password stealer as a payload, alongside Stop ransomware and HoudRat. High-confidence indicators specific to Arkei itself are not provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

1 technique
T1036MasqueradingEvidence1

Their endpoint telemetry and dynamic analysis revealed a chain of processes showing script masquerading, staged payload extraction, and command-and-control communication.

Credential Access

2 techniques
T1555Credentials from Password StoresEvidence2

The threat’s called “Stealer Trojans” or Password Stealing Ware (PSW), a type of malware designed to steal passwords, files, and other data from victim computers.

T1555.003Credentials from Web BrowsersEvidence1

Collect data from browsers: Passwords Autofill data Payment cards Cookies

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

Again that’s it! The data is ready to be forwarded to the cybercriminals.

T1105Ingress Tool TransferEvidence1

The malware has been designed to achieve persistence on Windows computers, install additional malware payloads on infected machines

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
uri●●●●●●●●●●●●View more in app7 years ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
cyber security newsNews
May 11, 2026
Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data

Older stealer malware whose source code was used to develop Vidar.

Read more
cyber security newsNews
Apr 27, 2026
Vidar Malware Hides Second-Stage Payloads in JPEG and TXT Files to Evade Detection

Credential-stealing malware framework referenced as the basis from which Vidar originally developed.

Read more
cyber security newsNews
Mar 18, 2026
Vidar Stealer 2.0 Spreads Through Fake Game Cheats Promoted on GitHub and Reddit

Referenced as the stealer family from which Vidar originated as a fork.

Read more
talos intelligence blogNews
Dec 20, 2022
Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins

Stealer family mentioned as using XLL files as an infection vector.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.