Chromium-based Browsers

Browser Directories

360 Browser: %LOCALAPPDATA%\360Browser\Browser\User Data\
7Star: %LOCALAPPDATA%\7Star\7Star\User Data\
Amigo: %LOCALAPPDATA%\Amigo\User Data\
Atom: %LOCALAPPDATA%\Atom\User Data\
BlackHaw: %LOCALAPPDATA%\BlackHaw\User Data\
Brave: %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\
CatalinaGroup Citrio: %LOCALAPPDATA%\CatalinaGroup\Citrio\User Data\
Cent Browser: %LOCALAPPDATA%\CentBrowser\User Data\
Chedot: %LOCALAPPDATA%\Chedot\User Data\
ChomePlus: %LOCALAPPDATA%\ChromePlus\User Data\
Chromium: %LOCALAPPDATA%\Chromium\User Data\
Chromodo: %LOCALAPPDATA%\Chromodo\User Data\
CocCoc: %LOCALAPPDATA%\CocCoc\Browser\User Data\
Comodo Dragon: %LOCALAPPDATA%\Comodo\Dragon\User Data\
Coowon: %LOCALAPPDATA%\Coowon\User Data\
CryptoTab: %LOCALAPPDATA%\Crypto Tab Browser\User Data\
Elements Browser: %LOCALAPPDATA%\Elements Browser\User Data\
Epic Privacy Browser: %LOCALAPPDATA%\Epic Privacy Browser\User Data\
Google Chrome: %LOCALAPPDATA%\Google\Chrome\User Data\
Google Chrome (x86): %LOCALAPPDATA%\Google(x86)\Chrome\User Data\
Google Chrome Beta: %LOCALAPPDATA%\Google\Chrome Beta\User Data\
Google Chrome Canary: %LOCALAPPDATA%\Google\Chrome SxS\User Data\
Google Chrome Dev: %LOCALAPPDATA%\Google\Chrome Dev\User Data\
Iridium: %LOCALAPPDATA%\Iridium\User Data\
Kometa: %LOCALAPPDATA%\Kometa\User Data\
Maxthon: %LOCALAPPDATA%\Maxthon5\Users\
Microsoft Edge: %LOCALAPPDATA%\Microsoft\Edge\User Data\
Netbox: %LOCALAPPDATA%\NetBox\User Data\
Nichrome: %LOCALAPPDATA%\Nichrome\User Data\
Opera: %APPDATA%\Opera Software\Opera Stable\
Opera GX: %APPDATA%\Opera Software\Opera GX Stable\
Opera Neon: %LOCALAPPDATA%\Opera Neon\User Data\
Orbitum: %LOCALAPPDATA%\Orbitum\User Data\
QIP Surf: %LOCALAPPDATA%\QIP Surf\User Data\
QQBrowser: %LOCALAPPDATA%\Tencent\QQBrowser\User Data\
Sputnik: %LOCALAPPDATA%\Sputnik\User Data\
Torch: %LOCALAPPDATA%\Torch\User Data\
Uran: %LOCALAPPDATA%\Uran\User Data\
Vivaldi: %LOCALAPPDATA%\Vivaldi\User Data\
Yandex: %LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
Yandex Beta: %LOCALAPPDATA%\Yandex\YandexBrowserBeta\User Data\
Yandex Canary: %LOCALAPPDATA%\Yandex\YandexBrowserCanary\User Data\
Yandex Dev: %LOCALAPPDATA%\Yandex\YandexBrowserDev\User Data\
Yandex Tech: %LOCALAPPDATA%\Yandex\YandexBrowserTech\User Data\
Yandex SxS: %LOCALAPPDATA%\Yandex\YandexBrowserSxS\User Data\

Target Files

InfoStealers target the following files in the directory of each browser:

Master Key: Local State
Credentials: Default\Login Data
Cookies: Default\Network\Cookies
Autofills: Default\Web Data\
Local Storage: Default\Local Storage\leveldb\
Sessions: Default\Session Storage\
History: Default\History
Extensions: Default\Local Extension Settings\

Extensions

Infostealers obtain sensitive information from LevelDB by targeting browser extension directories.
The following extension ID folders are located within the Default\Local Extension Settings directory.

Authenticator

2!Authenticator: iklgijhacenjgjgdnpnohbafpbmnccek
2FA Authenticator: gmohoglkppnemohbcgjakmgengkeaphi
2FA Authenticator: pnnmjhghimefjdmdilmlhnojccjgpgeh
Authenticator: bhghoamapcdpbohphigoooaddinpkbai
Authenticator: npjilhodcgmigpladpfkkclbmkebalfd
Authenticator app: bbphmbmmpomfelajledgdkgclfekilei
TOTP Authenticator: ibpjepoimpcdofeoalokgpjafnjonkpc
Web2FA: gmegpkknicehidppoebnmbhndjigpica

Password Managers

Avira: caljgklbbfbcjjanaijlacgncafpegll
Bitwarden: nngceckbapebfimnlniiiahkandclblb
Browserpass: naepdomgkenhinolocfifgehidddafch
Dashlane: fdjamakpfbbddfjaooikfcpapjohcfmg
DualSafe: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc
ESET: khhapgacijodhjokkcjmleaempmchlem
Kee: mmhlniccooihdimnnjhamobppdhaolme
KeePassXC: oboonakemofpalcgghocfoadofidjkkk
Keeper: bfogiafebfohielmmehodmfbbebbbpei
LastPass: hdokiejnpimakedhajhdlcegeplioahd
Locker: cmajindocfndlkpkjnmjpjoilibjgmgh
NordPass: eiaeiblijfjekdanodkjadfinkhbfgcd
RoboForm: pnlccmojcmeohlpggmfnbbiapkmbliob
Zoho Vault: pnlccmojcmeohlpggmfnbbiapkmbliob

Crypto Wallets