BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
Global rank
42 infographic chevron month
Month rank
34 infographic chevron week
Week rank

Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps.

1 May, 2023
First seen
15 July, 2024
Last seen

How to analyze Exela Stealer with ANY.RUN

1 May, 2023
First seen
15 July, 2024
Last seen


IP addresses
Last Seen at
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 138
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 156
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1623
comments 0

What is malware: Exela Stealer?

Exela Stealer, an open-source Python-based stealer, has been extensively used to target victims’ Discord accounts and browsers to steal sensitive data. This malware was first uploaded to GitHub in May 2023 and has since evolved with additional features.

Despite providing a note about the program being intended for educational purposes, the creators also sell a paid version of the software, which, according to their claims, possesses superior evasion capabilities. This premium version of Exela Stealer is distributed using the common malware-as-a-service (MaaS) model based on a subscription similar to other malware families. Such examples include Formbook and XWorm.

However, according to the message posted on February 10, 2024, in their Telegram channel, the malware’s developer announced that both the free and paid versions would not receive any further updates.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

Exela Stealer malicious software technical details

Exela Stealer is a sophisticated tool that can collect a wide range of sensitive information from compromised systems:

  • Discord Injection: Exela Stealer can inject malicious code into the Discord client to obtain tokens, passwords, and email addresses.
  • Browser Data: The stealer can acquire various data from web browsers, cookies, including bookmarks, passwords, browsing history, and downloaded files.
  • Screenshot Capture: The stealer can capture screenshots from all monitors connected to the compromised system. This feature allows the attacker to visually monitor the user's activities.
  • Cryptocurrency and Wallet Information: Exela Stealer can scan the system to obtain cryptocurrency and wallet information stored in web browsers. This can potentially allow the attacker to misappropriate the user's cryptocurrency funds.
  • Autofill Data: The stealer can gain access to autofill data from web browsers. This includes personal information, such as names, addresses, phone numbers, and email addresses.
  • Session Files: Exela Stealer can get hold of session files from various applications, including Telegram, Uplay, Epic Games, Growtopia, Instagram, Twitter, TikTok, Twitch, Spotify, Riot Games, Reddit, Roblox, and Steam. This can provide the attacker with unauthorized access to the user's accounts on these platforms.

It can display fake error messages, as well as detect processes and system settings related to debugging or virtualization. For instance, it can determine the machine’s Universally Unique Identifier (UUID) and then check if it matches any entry on its list of known UUIDs.

Exela Stealer ensures its persistence by enabling automatic execution upon the user’s system login. It can either add an entry to the Windows Registry or create scheduled tasks.

Exela Stealer exfiltrates the data collected from compromised systems via a Discord webhook URL, sending it to the attacker.

Exela Stealer attack execution process

To observe the behavior of Exela Stealer on an actual system, we can upload its sample to the ANY.RUN sandbox for in-depth analysis.

Exela Stealer operates through a sophisticated execution chain involving several stages. Initially, it may be delivered via phishing emails or through compromised websites. Once a user unwittingly downloads and executes the malware, it establishes persistence by modifying system settings or creating new autostart entries in the Windows registry.

Next, Exela Stealer typically employs obfuscation techniques to evade detection by security software, such as encryption or code obfuscation. It then begins its primary function of exfiltrating sensitive information from the infected system, such as login credentials, credit card numbers, or personal documents.

Finally, the stolen data is transmitted to a remote command and control server controlled by the attackers, where it can be used for various malicious purposes, including identity theft or financial fraud. Throughout this execution chain, Exela Stealer aims to operate discreetly to maximize its effectiveness and avoid detection by security measures.

Exela processes shown in ANY.RUN Exela Stealer's processes demonstrated in ANY.RUN

In our example, we can observe that the malware utilizes various system utilities to obtain information about the list of running processes. Additionally, it conducts system language discovery by checking the languages supported by the infected system, modifies file attributes, and gathers various other details about the infected system and its users.

Exela Stealer malware distribution methods

Since the free version of the malware is widely accessible, any ill-intentioned individual can use it to attempt to infect machines of other users. Exela Stealer usually ends up on victims’ computers through phishing emails or messages. Attackers craft these to appear as if they were written by legitimate entities, such as trusted organizations. These messages often contain malicious attachments that, after executing, cause the Exela stealer infection on their machine.


Exela Stealer poses a significant threat to digital security due to its sophisticated tactics for stealing sensitive information. Its ability to leverage legitimate platforms like Discord and its continuous evolution underscore the importance of having proper security tools.

ANY.RUN is a cloud-based sandbox for detecting and analyzing threats, such as Exela Stealer, that offers detailed reports on their technical characteristics. The service lets you examine any suspicious file and check potentially harmful URLs, ensuring informed decision-making and prompt deletion of any malware, as well as proper protection of your infrastructure.

Create your ANY.RUN account – it’s free!


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy