Close this search box.

Snake Malware Sinking Teeth in 50 Apps for Only $25


The Snake password-stealing trojan is being employed by an increasing number of cybercriminals, making it one of the most used malware families in attacks. 

Snake has only been active since November 2020 and is not related to the previous ransomware operation of the same name. 

Researchers from Cybereason have investigated how popular malware operates. 


Snake’s Malicious Features 

Snake is already being sold on dark web sites for as little as $25, which could explain the increase in its use. 

Snake is mostly used in phishing efforts, when it is installed via malicious email attachments or by drop sites accessible by clicking on email links. 

Snake, when installed on a computer, can collect passwords from over 50 applications, including email clients, web browsers, and instant messaging services. 

Snake has been known to target the following programs: 

  • Discord 
  • Pidgin 
  • FileZilla 
  • Thunderbird 
  • Outlook 
  • Brave browser 
  • Chrome 
  • Edge 
  • Firefox 
  • Opera 
  • Vivaldi 
  • Yandex 

Snake’s stealing capability diagram. Source: Cybereason

According to a prior HP investigation, threat actors may utilise geolocation data to restrict installation based on the victim’s country. 

Other characteristics include the ability to steal operating system data, memory space information, geolocation, date-time information, IP addresses, and more. 


Avoiding Detection 

Snake bypasses antivirus defences by eliminating the associated programs and even disables network traffic analysers like Wireshark to evade detection. 

Snake then adds itself to the Windows Defender exclusion list, allowing it to execute dangerous PowerShell commands undetected. 

Snake creates a scheduled job and modifies a registry key to be executed when a user enters Windows in order to establish persistence. 

 It’s worth noting that Snake allows its operators to choose which capabilities to enable the virus during the packing stage. 

By minimising the use of features in targeted attacks, they can remain undetected. 

 Lastly, Snake uses either an FTP or SMTP server connection or an HTTPS POST on a Telegram endpoint to exfiltrate data. 

Snake’s ability to perform phishing attacks could result in devastating outcomes. It’s recommended that all individuals, network admins and security professions become familiar with expert cybersecurity tactics and techniques, especially for remote workers. 

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →