HOMETHREATSCreal Stealer
APT / THREAT GROUP

Creal Stealer

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Creal is an open-source grabber/credential stealer that was originally made by a GitHub user named Ayhuuu, who even advertised a "premium" version on his now-deleted Telegram channel @Crealstealer. To the day of release, it was already not FUD, but its open-source nature made it attractive for threat actors to modify the base malware and even obfuscate it for less detection ratios. The base project came with a compiler, and the general source code the compiler used was PyInstaller for compilation into native formats like exe. For C2, Discord webhooks were utilized, which in later versions got protected with a service called https://stealer.to to make deletion not possible.

It Compromised following Data on Execution:

* Discord Information

* Browser Data

* Crypto Related Data

* Steam

* Riot Games

* Telegram

* System Information

* Tokens/Secrets

Threat Analysis

Creal Stealer is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

py.creal_stealerCreal Stealer

External Intelligence

Malpedia: py.creal_stealer

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Creal Stealer — APT / Threat Group | Threat Intelligence | CTIWATCH.COM