From KPOT to Koi: The privatisation of a stealer family

Across the cyber threat landscape, infostealers are the workhorses of credential theft—easy to buy, easy to use, and churned out at scale through malware-as-a-service (MaaS) models. But sometimes, a stealer goes dark, evolves, and reappears under private control.

Since 2024, PwC Threat Intelligence has tracked one of these rare evolutions: Koi, a closed-loop malware family operated by the threat actor we track as White Dev 192.

Koi didn’t appear out of nowhere—it grew out of KPOT, a once-commercial infostealer sold on underground forums in 2018 and auctioned off in 2020. Soon after, a new series of binaries appeared with similar code patterns and behaviour. What was once a commodity became a bespoke, privately maintained toolkit, signaling a shift in how some threat actors develop and weaponise credential-theft capability for their own private use.

Beyond MaaS: A bespoke threat

Most stealers are disposable; Koi is disciplined. On Windows, its modular design—KoiLoader, KoiBackdoor, and KoiStealer—enables stealthy, flexible operations:

• KoiLoader loads and decrypts an embedded second-stage payload from its PE resource section. The decryption process relies on two in-memory resources: one acting as the XOR key while the other is processed by reading every alternated byte before reconstruction.
• KoiBackdoor, beyond staging and loading the next payload component, retains backdoor functionality that allows operators to issue additional commands for privilege escalation, proxying, and next-staged execution.
• KoiStealer has targeted 170+ cryptocurrency wallets and 80+ password or 2FA browser extensions, signaling a clear focus on monetisable access rather than wholesale theft.

By April 2024¹, Koi had expanded to macOS with KoiFusion, collapsing its Backdoor and Stealer Windows modules into a single Mach-O binary. Across both platforms, shared C2 command sets indicate a common code base, pointing to ongoing code maintenance and long-term operational planning. The activity has been reported under different names: in 2024, CrowdStrike publicly described² the macOS variant, Cuckoo Stealer, and linked it to TMStealer (KoiStealer) on Windows, while in 2025, Palo Alto Networks³ retained the name Koi. Both presentations reported strong similarities between the macOS and Windows stealer, including overlaps in network protocol and overall malware behaviour.

Why it matters for defenders

As law enforcement and takedowns disrupt MaaS operators, the case of Koi demonstrates how threat actors can capitalise on exclusive, self-contained malware ecosystems—harder to acquire, harder to attribute, and far less visible to the security community.

For defenders, this shift means:

• Behavioural detection over signature reliance – track loader-to-stealer handoffs, memory-only execution, and cross-platform command logic instead of chasing hashes.
• Cross-platform visibility – configure Windows and macOS telemetry pipelines to detect large-scale collection of user data and associated exfiltration patterns.
• Threat lineage tracking – map reused code and configuration overlaps to detect evolutions of “retired” families like KPOT.

Koi’s evolution from open-market stealer to privately held offensive toolset underscores a maturing threat economy—one where access, not malware, is the product.

Our full technical analysis—including code lineage, and indicators of compromise (IOCs)—is available in our GitHub repository.

^{1 KoiFusion, SHA-256 hash: 1dfc5689913347d052a24488256758ce87ba7acff412fb293993552b38640b3e}

^{2 ‘#OBTS v7.0: "macOS Stealers: Stealing Your Coins, Cookies and Keychains’ M. Stewart & S. De Souza of CrowdStrike, https://www.youtube.com/watch?v=nu0G4rPbyHI (17 December 2024)}

^{3 ‘Hook, Line and Koi Stealer: New macOS Malware in DPRK Fake Job Interviews’, Adva Gabay & Daniel Frank of Palo Alto Networks, https://www.youtube.com/watch?v=AH2x_Hi7W4I (16 October 2025)}

© 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only and should not be used as a substitute for consultation with professional advisors.