This report examines NullPoint Stealer Technical Malware Analysis Report.
As ThreatMon, we strive to prevent potential malicious activities by informing individuals, companies, firms, institutions, and organizations about current threats through our reports, posts, and analyses.
NullPoint Stealer is a modular and stealth-focused .NET-based infostealer designed to operate efficiently on Windows environments. Developed by a Turkish-speaking threat actor known as ZeroTrace, the malware combines a lightweight footprint with a wide range of data exfiltration capabilities. It targets browser credentials, session tokens, cryptocurrency wallets, VPN configurations, system metadata, and sensitive userfiles—while actively avoiding detection through anti-VM checks, import hiding,and post-execution cleanup routines.
The stealer gained rapid adoption in the underground community shortly after its release, aided by its open-source nature and user-friendly GUI builder. Its structure, heavily based on the well-known StormKitty Stealer, has been extended and customized to support targeted reconnaissance, long-term persistence, and the ability to evade static and behavioral detection mechanisms. The malware’s modular plugin-ready architecture enables threat actors to adapt it easily to diverse operational goals, including data theft, initial access, or pre-ransomware staging.
In-the-wild usage has been confirmed through observed attacks on hotel businesses in Türkiye and Pakistan, where the malware was distributed via malicious PDF documents delivered through WhatsApp. Investigation into the threat actor revealed the use of residential IP addresses (notably from TürkSat), multiple infrastructure domains (e.g., mentality.cloud), and Telegram-based distribution channels. This combination of social engineering, residential hosting, and open-source tooling illustrates an emerging trend in modern malware deployment—low-cost, low-sophistication setups producing high-impact results.
NullPoint Stealer poses a significant threat to organizations and individuals alike, especially in regions with limited visibility into threat actor behaviors and infrastructure. Its increasing presence, ease of customization, and active development suggest that the malware will continue to evolve and be used in broader campaigns across both regional and global targets.
We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:
