Subscribe to get the latest updates and resources
For years, security teams focused on securing endpoints, hardening networks, and patching operating systems. Browsers, by contrast, were treated as productivity tools — inherently somewhat risky, but not the primary battlefield. In 2026, the browser has become the most valuable credential vault on any employee’s machine, and threat actors have adapted accordingly.
The WhoUser infostealer, analyzed by Cynet’s CyOps CTI team in the March 2026 Cyber Threat Intelligence Report, is a textbook example of what modern browser-targeting malware looks like. But it is far from unique and reflects a broader, accelerating trend that every security team needs to understand.
Before examining WhoUser specifically, it is worth understanding the scale of browser-based credential theft in 2026. A database discovered in January 2026 and reported by IT Security Guru contained 149 million unique login-password pairs, compiled entirely from infostealer operations targeting browser credential stores. The database included 48 million Gmail accounts, 17 million Facebook accounts, and hundreds of thousands of financial and cryptocurrency accounts.
BleepingComputer has reported extensively on the evolution of infostealer campaigns, noting that modern infostealers have expanded credential theft far beyond usernames and passwords. Today’s tools harvest session cookies, authentication tokens, autofill data, and payment card information, all of which are stored in browser databases that most employees never think about.
Infosecurity Magazine also documented the emergence of Storm, a new infostealer in early 2026 that decrypts credentials server-side rather than on the victim’s machine — an innovation specifically designed to evade endpoint detection tools that watch for local database access. The article notes that one compromised employee browser can hand an attacker authenticated access to SaaS platforms, internal tools, and cloud environments without ever triggering a password-based alert.
WhoUser was discovered advertised on a Turkish-speaking surface-web hacking forum and analyzed by Cynet’s CyOps researchers. Written in C++ and compiled as a 64-bit Windows executable, the malware is promoted as an advanced data-stealing tool with browser extraction, Discord token collection, and Telegram-based exfiltration capabilities.
Anti-Analysis Techniques
WhoUser immediately checks whether it is running in a debugging or virtual environment using CheckRemoteDebuggerPresent and IsDebuggerPresent — standard anti-analysis techniques that allow the malware to alter behavior or exit entirely if it detects a sandbox.
Browser Credential Harvesting
The core credential-theft capability targets Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera GX. WhoUser accesses browser Local State files and LevelDB storage to extract the encryption keys needed to decrypt stored credentials, cookies, and authentication tokens. Hardcoded SQL queries in the binary target the credit_cards table directly, retrieving card numbers, cardholder names, expiration dates, and CVC values.
What makes this especially notable is WhoUser’s use of ChromeElevator — an open-source utility dropped as RuntimeBroker_ce.exe — to bypass Chromium’s App-Bound Encryption (ABE). ABE was introduced in Chrome 127 specifically to make local credential theft harder by binding decryption keys to the browser process. WhoUser’s use of ChromeElevator shows that attackers are actively developing and deploying countermeasures as defenses evolve.
Discord Token Harvesting
Beyond browser data, WhoUser scans AppData directories associated with Discord and Discord Canary installations, targeting the LevelDB databases that store authentication tokens. These tokens can provide persistent access to Discord accounts even after password changes, making them valuable both directly and as a social engineering vector.
Clipboard Monitoring
WhoUser monitors clipboard content in real time using Windows clipboard APIs. This captures passwords copied from password managers, cryptocurrency wallet addresses, one-time authentication codes, and any other sensitive content a user copies during a session.
Persistence and Exfiltration
The malware establishes persistence by creating a scheduled task named MicrosoftEdgeUpdateTaskMachine — designed to blend in with legitimate Microsoft Edge update tasks and avoid raising suspicion. Collected data is compressed into a ZIP archive named after the victim’s hostname and username, then exfiltrated. In the analyzed sample, exfiltration occurred via Discord webhook rather than Telegram, suggesting the sample was configured for that specific operator’s infrastructure.
WhoUser is one data point in a much larger market. BleepingComputer reported on Torg Grabber, a new infostealer active from December 2025 through early 2026 that targets 728 cryptocurrency wallet extensions, 103 password manager extensions, and 25 Chromium-based browsers — with new command-and-control servers registered every week.
Cynet’s 2025 year-in-review analysis found that credential theft has become the dominant initial access vector for downstream ransomware and fraud operations, with infostealers feeding directly into ransomware affiliate programs. Stolen credentials are an important part of a cyber cartel’s asset portfolio, the entire criminal supply chain.
Browser security cannot remain an afterthought. Based on the WhoUser analysis and the broader infostealer landscape, organizations should take the following concrete steps:
Search results for:
