This new Windows malware sneakily extracts passwords and your keystrokes — how to stay safe

Dell XPS 13 Plus (2023) review unit on a coffee table running Windows 11
(Image credit: Future)

A new open-source Windows malware strain which can covertly steal passwords and other sensitive data is currently making the rounds online.

As reported by the cybersecurity firm Cyble in a blog post, this new info-stealing malware has been dubbed Exela and it uses the Discord client for Windows to send stolen data back to the hackers behind this campaign.

Besides stealing login credentials, personal data and even financial information, the malware is also capable of stealing session details from a wide range of popular apps and online services including social media and gaming platforms.

The Exela Stealer was first spotted on VirusTotal by security researchers at Cyble on September 14. However, the initial version of this malware was created and uploaded to GitHub back in May of this year. In the time since, new capabilities have been added to Exela and the malware also has its own official Telegram channel.

What sets Exela Stealer apart from other Windows malware though is how it uses Discord to exfiltrate stolen data from infected PCs.

Sending stolen data through Discord

Discord on a phone and a laptop

(Image credit: Shutterstock)

Once downloaded on a computer, Exela’s builder will only run if a compatible version of Python (version 3.10.0 or 3.11.0) is installed on the machine. If this is the case, the builder then starts the process of creating an executable or .exe file.

Besides credentials, the malware can also steal credit card information, cookies and other browser data while logging keypresses and taking screenshots of the system.

When the malware’s builder batch file inside the Exela setup folder is executed, a Discord webhook URL is required to proceed. If a victim doesn’t provide this URL, an error message is displayed until they do.

The Exela Stealer uses this Discord webhook URL to act as a remote server for the hackers who have deployed the malware. Essentially, the webhook is used to send all of a victim’s stolen data back to the hackers.

After being fully installed on a victim’s PC, Exela Stealer achieves persistence by copying itself into a new directory in their local app data folder. It also adds a startup entry in Windows Registry so that the malware continues to run even after the infected PC is rebooted.

Exela Stealer then targets any Chromium-based web browsers like Chrome, Edge, Brave, Opera or Vivaldi that are installed on a victim’s computer. Besides credentials, the malware can also steal credit card information, cookies and other browser data while logging keypresses and taking screenshots of the system. Exela Stealer can steal loads of info from social media platforms including Instagram, X, TikTok and Reddit along with data from both Steam and Roblox.

All of this stolen data is then sent back to the hackers behind Exela Stealer who can use it to commit fraud or even identity theft.

How to stay safe from Windows malware


(Image credit: solarseven/Shutterstock)

There are several steps you can take to stay safe from Windows malware but most importantly, you need to be extra careful when visiting certain websites and downloading new software.

You want to be on the lookout for major red flags like spelling and grammar mistakes that indicate that the site you’re visiting is actually a phishing page. Likewise, you only want to download new software for your PC from reputable sources like the Windows Store or directly from the company that makes it. Piracy not only hurts developers but you’re more likely to come down with a bad malware infection when you try to download games or software illegally.

These steps can help you avoid running into Windows malware in the first place but to keep your PC protected, you should also be using the best antivirus software on your computer. Microsoft Defender works well enough if you’re on a tight budget but it just can’t match the features and regular updates that you get with a paid antivirus.

At the moment, the Exela Stealer is being distributed through phishing pages and websites offering free software downloads. However, given the malware’s capabilities, cybercriminals could devise new distribution methods going forward, so it’s certainly worth keeping an eye on.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.