OxideHarvest
OxideHarvest is a Rust-based credential stealer, also tracked as buildx641. ESET linked it to a Gentlemen ransomware affiliate identified as quant, and assessed it as affiliate-maintained rather than a core Gentlemen operator tool; one report also noted it was likely developed externally. Its primary capability is harvesting credentials and browser data from Chromium-based and Gecko-based browsers on compromised hosts. Reported targeted browsers include Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, BlackHawk, and IceCat. Supporting reporting states it can use supplied credentials to log into specified hosts, extract browser credentials, and write them to an output file. Reported command-line options include host list, username, password, thread count, and output file. ESET concluded that a VirusTotal sample named buildx641.exe is the same tool as OxideHarvest. The malware has been observed in the broader context of Gentlemen ransomware intrusions, but the available content attributes it specifically to an affiliate rather than to the core ransomware operators. No standalone infection vector or specific IOCs beyond the buildx641/buildx641.exe naming are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
OxideHarvest (also tracked under the alias buildx641 ) is a Rust-written credential stealer.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
2 techniques
Stealth
Defense Evasion T1027 Obfuscated Files or Information Some executables are protected with packers (Enigma, Themida) and custom control-flow obfuscation.
Stage 7 – Masquerading and obfuscation layered over the whole chain (T1036, T1036.001, T1027 – Masquerading, Masquerading: Invalid Code Signature, Obfuscated Files or Information). Every tool in the suite ... is run through the same standardization layer: commercial packers (Enigma/Themida), fabricated version information, icons copied from the impersonated vendor, and digital signatures copied from legitimate software.
Credential Access
4 techniques
Credential Access
Additionally, ESET documented the use of OxideHarvest, a Rust-based credential-stealer tool...
ESET said it also detected a Rust-based credential stealer codenamed OxideHarvest (aka buildx641) that's capable of harvesting data from popular web browsers, including Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, BlackHawk, and IceCat.
ESET also found a Rust-based credential stealer called OxideHarvest, also tracked as buildx641, linked to one of the group’s affiliates. It targets Chrome, Edge, Firefox, Brave, Opera, OperaGX, Vivaldi, Waterfox, and a dozen other browsers, using supplied credentials to log into specified hosts, pull browser credentials, and write them to an output file.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Rust-based credential stealer tied to a specific Gentlemen affiliate rather than the core operators. It authenticates to supplied hosts using operator-provided credentials and harvests credentials from a wide range of Chromium- and Gecko-based browsers in a multithreaded loop.
A Rust-based credential stealer used by Gentlemen affiliates to harvest browser credentials from Chromium-based and Gecko-based browsers on compromised systems.
A Rust-based credential stealer linked to a Gentlemen affiliate. It targets numerous browsers, uses supplied credentials to log into specified hosts, extracts browser credentials, and writes them to an output file.
A Rust-based credential stealer that harvests data from numerous web browsers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.