MeltStealer is an open-source C# data-extraction tool
maintained at github.com/Vorolski/melt-stealer. The
builder packs a Telegram bot API token plus chat ID and
exfiltrates harvested data through the Telegram Bot API.
ANY.RUN tracks the family in its sandbox database with
documented behaviours: credential theft from web browsers,
system-information collection (Windows installation date,
computer name, machine GUID, environment values), and
general data exfiltration.
The harvest scope per the project README covers passwords
and cookies, credit cards, cryptocurrency wallets and
mnemonics, browser extensions, Wi-Fi networks, gaming
session tokens (Steam, Minecraft), VPN configurations,
Discord tokens, screenshots and webcam captures, process
lists, and registry information. The panel-side
Information.txt opens with the verbatim
📋 MeltStealer - Report: clipboard-emoji banner and
ships a 15-field emoji-prefixed identity block (Date /
System / Username / CompName / CPU / RAM / IP / Location
/ Zip Code / Coordinates / Timezone / ISP / Organization
/ AS) plus six section blocks (Browsers / Software /
Device / File Grabber / Domains info / Installation) with
U+221F right-angle-arrow sub-items per section.
Also known as: melt-stealer, Melt Stealer
Variants observed: 1
Top attribution confidence: high
- Browser saved credentials (Chrome, Brave, Edge, Firefox, Opera variants)
- Browser cookies, autofill, history, bookmarks, downloads, extensions
- Credit card data
- Cryptocurrency wallets and seed-phrase mnemonics
- Discord tokens
- Steam and Minecraft session data
- VPN client configurations
- Wi-Fi network credentials
- Windows product key, screenshots, webcam captures
- Process lists and selected registry values
- System fingerprint (CPU, RAM, OS version, IP, ISP, ASN)
Attribution confidence: high
Filenames: Information.txt
Sample (sanitized):
📋 MeltStealer - Report:
📅 Date: 2025-12-01 <ip>
💻 System: Microsoft Windows NT 6.2.9200.0
👤 Username: Pixel
🖥️ CompName: DESKTOP-9KA1BNT
🧠 CPU: AMD Ryzen 3 3200G with Radeon Vega Graphics
💾 RAM: 6 GB
🌐 IP: <ip>
🗺️ Location: Buenos Aires, Buenos Aires, Argentina
📮 Zip Code: 1772
🧭 Coordinates: -36, -59,9964
⏰ Timezone: America/Argentina/Buenos_Aires
🔌 ISP: Telecom Argentina S.A.
🏢 Organization: Telecom Argentina S.A
🔧 AS: AS7303 Telecom Argentina S.A.
🌐 Browsers:
∟ Passwords: 209
∟ Cookies: 42
∟ AutoFill: 530
∟ History: 21990
∟ Bookmarks: 68
∟ Downloads: 866
∟ Extensions: 9
💿 Software:
🔌 Device:
∟ Windows product key
∟ Desktop screenshot
📁 File Grabber:
🔍 Domains info:
∟ Banking services (No data)
∟ Cryptocurrency services (No data)
∟ Porn websites
⚙️ Installation:
∟ Startup disabled
∟ Clipper not installed
∟ Keylogger not installed
The opening 📋 MeltStealer - Report: banner is the
familys verbatim self-identification and the cleanest fingerprint anchor. The U+1F4CB CLIPBOARD emoji prefix plus the MeltStealer - Report:literal cannot collide with any other documented family. Pairing with the🗺️ Location:geo field confirms the body matches the panel template rather than a CTI report quoting the banner. During triage, the⚙️ Installation:section flagsClipper installedandKeylogger installed` for
modules the operator enabled on the build; check those
flags to understand the active feature set on this
specific victim.