Skip to content

Dangerous “Nullpoint-Stealer” on GitHub: A Real Threat Disguised as a Research Tool

In the spring of 2025, the cybersecurity community faced yet another alarming development: a new-generation info-stealing malware named Nullpoint-Stealer gained attention after being hosted on GitHub. Officially described as a “tool designed for cybersecurity training and exercises,” experts warn that the open distribution of such powerful code poses serious threats.

Written in C#, the program is highly stealthy, capable of evading standard antivirus software and disappearing after completing its task. Its primary function is to covertly collect sensitive data from a user’s device and transmit it to servers controlled by hackers. Specifically, it targets:

  • Passwords, cookies (for session hijacking), autofill data, bookmarks, and browsing history from Chromium-based browsers.
  • Desktop screenshots.
  • Documents from the “Desktop,” “Documents,” and “Downloads” folders.
  • VPN client configurations and user credentials.
  • Gaming platforms: Steam, Epic Games, Battle.net.
  • Cryptocurrency wallets: Metamask, Exodus, Atomic Wallet.
  • Sensitive information stored in plain .txt or .log files.

The most dangerous aspect of Nullpoint-Stealer is its modular structure, which allows any user to easily add new data-stealing capabilities. This flexibility transforms it into a significant threat.

The tool includes an audio notification feature that alerts attackers when data is successfully exfiltrated from a victim’s device. Its control panel organizes stolen data by country, operating system, browser, blockchain services, and other categories, enabling hackers to systematically manage their victims.

The GitHub page claims that Nullpoint-Stealer is intended for studying cybersecurity, analyzing defense methods, and testing in educational labs. However, experts caution that such “educational tools” are frequently weaponized by malicious actors.

In recent years, similar malware like Raccoon Stealer, Vidar, and KPot has compromised millions of devices. In 2024 alone, info-stealers were responsible for the illicit acquisition of over 2.4 billion user credentials.

These programs are often distributed through websites offering illegal “cracks,” “keygens,” or “activators.” Such sites leverage SEO to rank highly in search engines, luring unsuspecting users. Nullpoint-Stealer, being openly hosted on GitHub, amplifies the threat due to its accessibility.

A particularly concerning detail is the inclusion of links on the GitHub page to Telegram channels NeverTrace and zerotraceofficial, which likely promote the tool and provide technical support. This suggests the existence of a dangerous network behind its distribution.

Nullpoint-Stealer serves as yet another example of how cybercriminals exploit the guise of “educational tools” to distribute malicious software on open platforms. Cybersecurity experts urge heightened vigilance and continuous monitoring of harmful code shared on platforms like GitHub.