A new stealthy malware strain named CharlieKirk Grabber is actively targeting Windows systems, with a primary objective of stealing sensitive login credentials, browser cookies, and session data. Discovered by Cyfirma researchers, this infostealer operates as a swift “smash-and-grab” threat, rapidly collecting data and disappearing before users can detect its presence.
The malware is distributed as a Windows executable, cleverly packaged using PyInstaller. This tool bundles the Python code into a self-contained file, eliminating the need for Python to be pre-installed on the victim’s machine. Its name and political branding are employed to leverage social engineering tactics, with distribution typically occurring through phishing emails, cracked software, game cheat downloads, or deceptive social media lures.
CharlieKirk Grabber Stealer: A Modular and Evasive Threat
The CharlieKirk Grabber stealer exhibits a modular structure facilitated by a builder-style design, according to Cyfirma’s analysis. This modularity allows attackers to freely configure crucial command-and-control (C2) settings, such as integrating with Discord webhooks or Telegram bots. They can also selectively enable or disable specific data collection modules before deploying the final executable.
Once operational on a compromised system, CharlieKirk Grabber begins by profiling the host. It collects essential system information, including the username, hostname, hardware UUID, and external IP address. To gain access to saved password databases, the malware forcefully terminates running browser processes using the Windows TASKKILL utility. The collected data, encompassing passwords, cookies, autofill entries, browsing history, and Wi-Fi credentials, is then compressed into a ZIP archive.
This archive is subsequently uploaded to the GoFile file-hosting platform. A download link for the exfiltrated data is then promptly sent to the attacker via HTTPS through either a Discord webhook or a Telegram bot, ensuring encrypted communication channels.
Living Off the Land: The Stealth Tactics of CharlieKirk
A significant factor contributing to CharlieKirk Grabber’s evasiveness is its extensive use of legitimate Windows tools, a technique known as “living off the land.” Instead of introducing suspicious third-party files, the malware leverages built-in system utilities for malicious purposes. This includes using NETSH.EXE to retrieve saved Wi-Fi passwords, SYSTEMINFO.EXE to gather hardware and operating system details, and PowerShell to silently add itself to Microsoft Defender’s exclusion list.
By employing these native tools, the malware’s actions can blend seamlessly with routine administrative operations, making it considerably harder for signature-based detection methods to identify it as malicious. This approach significantly aids in bypassing traditional security measures.
To mitigate the threat posed by CharlieKirk Grabber and similar infostealers, organizations are advised to implement robust security practices. Enforcing Multi-Factor Authentication (MFA) across all critical services is a crucial step. Additionally, restricting browser-based password storage through enterprise policy can limit the data available for exfiltration.
Security teams should proactively monitor for signs of compromise. This includes looking for unusual browser process termination events, unexpected outbound HTTPS traffic directed towards platforms like Discord, Telegram, or GoFile, and any suspicious PowerShell activity originating from user-writable directories. Furthermore, blocking the execution of applications from temporary locations, such as %TEMP% and %APPDATA%, using tools like AppLocker or Windows Defender Application Control (WDAC), can prevent malware from running in common staging areas.
The report indicates that this threat is still active, with the first observed activity in February 2026. Continued vigilance and the implementation of layered security defenses are essential to counter the evolving tactics of advanced malware like CharlieKirk Grabber.