So a little introduction. Kpot Stealer is a piece of malware designed to steal credentials and other sensitive information (such as licence keys), from windows machines. Kpot was initially discovered on Russian language hacking forums.
Throughout the last few days, with the help of individuals in the security community, I was able to access the database files and web interface of a successful malware campaign. These databases contained over 200,000 credentials, along with other information about the victims.
In this post, I am going to cover how the command and control server was discovered, how I found the databases and also how a vulnerability lead to the destruction of the data on the web server. I will also cover how the malware spread and other bits of information I have learnt.