KuinaExtractor: Rust-Based Infostealer Evolves Over Six Months with Telegram Exfiltration and Stealth Upgrades

A newly uncovered infostealer called KuinaExtractor has been quietly evolving for over six months, posing a serious and growing threat to users across multiple platforms. Written in the Rust programming language, the malware targets browser data, cryptocurrency wallets, and credentials for popular services including Roblox, Steam, and Discord. What makes this threat particularly concerning is how rapidly it has matured, moving from a rough early build to a polished, stealthy tool in a matter of months.

KuinaExtractor first appeared in December 2025 and has since gone through four distinct development stages, each adding new capabilities and deeper evasion techniques. The malware's author appears to be a Vietnamese-speaking developer, with Vietnamese-language text found throughout the code, including debug output and system messages. A command-and-control panel hosted in Vietnam and the targeting of the Vietnamese CocCoc browser further support this assessment, though researchers note these are supporting signals rather than firm proof.

Analysts at ThreatRay identified and tracked KuinaExtractor across six months by comparing code similarities at the function level, allowing them to link dozens of samples into a single malware family. The same markers appeared repeatedly across builds, including shared mutex names, build-host paths left inside binaries, and a consistent set of Telegram contact handles tied to the alias "Kuina," which was later replaced by "k0to." The malware's development path is unusually clear and deliberate.

The earliest builds already included a Chrome App-Bound-Encryption bypass that impersonated a core Windows process to recover the browser's master encryption key. Exfiltration in those early versions ran through Discord webhooks, and GitHub was used both as a delivery host and as disposable remote infrastructure through GitHub Actions. By June 2026, the developer had rebranded the project under the name "k0to," shifting focus from adding new features to hiding existing ones. The latest build wraps its strings in 28-byte XOR encryption, ships its own certificate roots instead of relying on the system's trusted store, and adds a sandbox check that scans PowerShell window titles for analyst tools.

When KuinaExtractor was rebuilt in January 2026, exfiltration moved from Discord webhooks to a Telegram bot, giving the operator more control and making the traffic harder to flag. At the same time, the single UAC bypass from the first build was replaced by a function-pointer table offering seven separate bypass techniques, allowing the malware to try multiple privilege escalation paths if one is blocked. The January rewrite also added extensive reconnaissance before any data theft began: eight hardware queries using WMIC, WiFi network enumeration, a Windows Credential Manager dump, and victim IP geolocation all ran ahead of the main theft routine.

While developing the main stealer, the same operator ran two side projects that were later dropped. The first, KuinaCookieExtractor, targeted platforms including Minecraft, FileZilla, and Telegram session data, exfiltrating over Discord rather than Telegram, and was visible for roughly two weeks. A second experiment called "Zenith" briefly appeared with a debug build that left detailed logs on the victim's desktop, and a control panel at a Vietnamese IP address before being abandoned. The consistent reuse of code markers, build usernames, and Telegram handles across all projects ties every experiment back to the same individual.

Security teams monitoring this family should treat any sample carrying these shared markers as part of the same threat actor's activity, regardless of the name displayed in the binary. ThreatRay has published full IOCs and YARA rules to help defenders detect and track this evolving threat.