Tiktaaliks Tale — Unearthing a Fossil
June 6th, 2022 - Initial Incident:
It was a normal afternoon like any other. During this time I had just graduated from high school, and I was working full time at a restaurant as a dishwasher. I hadn't fully invested into my cybersecurity career; well, I knew as a young teenager I wanted to go into penetration testing, and I had only now invested time into watching reverse engineering malware videos on YouTube. I was new and curious, definitely not yet experienced by any means.
Initial Inquiry
At 1:26 PM EST I received a notification on Discord from one of my online friends, "My account was hacked." My friend explained that someone on Discord, the threat actor, approached my friend asking if she could beta test their game. I mean, honestly that sounds super cool, who wouldn't? The threat actor sent her a password protected zip file from a Google drive link. The name of the supposed game? Tiktaaliks Tale, a nod to the tetrapod anyone interested in evolutionary biology would recognize instantly.
She still had the link, and she provided it to me after I suggested I could try reverse engineering it, but she had forgotten the password. I stumbled through a couple of Python scripts trying to brute force the password with no avail. After a few days of not knowing the password, she dug through her DMs and found the password: beta-tester.
After this the extent of my research involved me plopping the Windows executable into a virtual machine and seeing what wireshark would pick up. I identified an outbound IP that I didn't know at the time, but it was an IP for a Linode VPS. That's cool, but it never led us to the threat actor's identity. Not knowing how to continue or what to do, I saved what I could. Eventually the damage was done, she recovered her accounts and did damage control, and life for me got busy after starting college for my AAS in CyberSecurity in 2023.
There was one more piece of important evidence that would become relevant later on. My friend sent a screenshot of a login attempt report from one of her accounts as a security alert. It didn't specify an IP, which was unfortunate, but the alert did specify an originating country.
How then, is it possible for almost four years to pass, and when I go to dig up this fossil of a piece of malware, I'm still able to find crucial information on who the threat actor might be?
January 30th, 2026 - Digging it Back Up:
I'm not a reverse engineer: At least not by job title. But nearly four years later I have more experience. I graduated college in December of 2025, I've been working in NOC for one year, and lately I've been writing reports and trying to be more active publicly. I've also been doing actual real world reverse engineering. I developed a wrapper script for PE-Sieve to slice and read in memory payloads as they decompress, for example. I definitely have more knowledge than I used to.
Return to Inquiry
It was last night when I got that scratching feeling I sometimes get when I'm bored. I want to do something, I want to find something, track something, anything. That's when I remembered it: Tiktaaliks Tale. I pulled up my friend's old DMs, searched for all links in the conversation, and there it was. The Google Drive link, still up and hosting the zip file holding the executable. I downloaded it and tried extraction only to be hit by a prompt for a password.
I had forgotten it all this time and I wasn't keen on trudging through more old DMs, so I was preparing to brute force it when I remembered: Beta test? Something to do with that? beta-tester! I inputted the password and there it was, TiktaaliksTale.exe.
Decompilation & Initial Triage
I booted up my Linux VM and ran strings on the executable. I was instantly hit with a bunch of, what I assumed to be, runtime noise related to some sort of compiler. The last line of strings was interesting, though: <nexe~~sentinel>.
Researching what nexe could refer to I found out it's a utility that converts Node.js applications into single executable files. Looking for an unpacker, I found nexeDecompiler: https://github.com/unex/nexeDecompiler
After installation and running the decompile command on the executable, I had the fully decompiled JavaScript file. It's called: 903012931430645861s.js.
File path: unpacked/build/
SHA256 hash: 12fb8c3d8c67c982e4f2a8ab3d93b6111035eb9d57f9feef7f29cc735c955eb4
File size: 50,206 bytes
This contains heavily obfuscated JavaScript code. I ran it through a deobfuscation pass so the code was at least readable. I found an array function, called: a0_0x196530.
This array list is crucial to everything that comes next. It details callouts such as Discord, browser cookies, session tokens; this, along with other clues, tells us what this piece is after.
What caught my attention were three things:
1. The array contains a Discord webhook API URL that is in plaintext.
2. There is a CTF Flag-like comment, probably related to an author handle or a sort of name, that tells us a lot about this malware, the comment being: #RustlerONTOP.
3. The code calls a raw GitHub URL, most likely to download and run the code as part of the payload.
There are a few others relating to the name Rustler. One is a comment referring to the malware, or I assume a potential malware name: Rustler Stealer.
Attribution & Lineage
Searching online for RustlerStealer didn't present much, there were some GitHub repos claiming to be the leaked source code, but before verifying if they were I wanted something more concrete. I decided to focus on the raw GitHub link. Going directly to the link gave a 404. I chopped the URL in a way it would show me the profile for the raw GitHub link rather than the raw code. There it was, a public GitHub corresponding to the raw GitHub link in the code. We will call this GitHub profile the supposed malware author.
I traversed the GitHub and noticed a repo that was forked over by someone else. We will dub this repo forked-repo to represent the forking path of this code. The author of the original repo stated that he is using it to deobfuscate JS coded malware he found. For some reason, our supposed malware author. Why?
Included in the original repo I noticed there was a strings.txt file. I viewed it, then it hit me. This original repo, that the supposed malware author forked over, it is the malware code. What's better? It has the payload that the raw GitHub link would correspond to.
I examined this repo further and realized that this code did not have any strings pointing to the term Rustler. In fact, I concluded this:
1. The author of this repo, claiming he was using GitHub to deobfuscate malware code he found, was forked by the supposed malware author:
2. The supposed malware author wasn't the original author of the code; instead, when they forked the code they took it for themselves and added their own tags, adopting it for themselves then claiming it as their own.
3. Our next goal: The malware variant is RustlerStealer, but we need to find the original malware that the deobfuscation repo has.
Looking into the repo, there is a folder named completed, with subfolders stage 1 and stage 2. This must be referring to stages of the malware as it executes. Checking in stage 1, there are two files: stage1.js and stage1_original.js.
Assuming stage1.js would be deobfuscated, I started there. I scrolled through the code until I found a variable called "password_headline" inside the getPizzas function, and inside this variable is a comment string: #BBYSTEALERSEXYSPAINMAMI.
This is our biggest clue to identifying the full family. RustlerStealer was made by an author who took deobfuscated code from a researcher repo on BBYStealer. I confirmed this by comparing the file paths between the RustlerStealer code and the BBYStealer code, which were a match. I then compared the strings.txt. The compilation of BBYStealer is the same as RustlerStealer, using nexe to transcribe JS code to a Windows executable. They both share the same command and control (C2) server pipeline, using Discord bots to control querying for stolen data. The real giveaway is the fact that the raw GitHub code profile for RustlerStealer has a forked repo of deobfuscated BBYStealer code.
Behavior
BBYStealer is an information grabber. It targets browser cookies, passwords, discord tokens, any account credentials really. Naturally, RustlerStealer shares the same behavior, which makes sense knowing that RustlerStealer is a fork of BBYStealer.
Taking a look at the payload file, it becomes clear what it does. After 903012931430645861s.js calls for the raw GitHub, the code that would've been downloaded would have assisted in the exfiltration of data the script has already stolen.
This is big, it's amazing even. After all of these years the GitHub for the author is still up. While the raw GitHub is down, there is still a repo that has the original BBYStealer payload. Honestly, the work is done here, but there's still that nagging question. Who sent this to my friend?
Attribution Evidence
Judging from the multiple GitHub pages about leaked RustlerStealer code, it was known about. If the code was public at one point anyone could have downloaded the code and used it for themselves. Going back to my friend and her logs, the originating country is listed and she said the person who sent the file spoke the language from that country. That's a start. Looking at the malware author's GitHub page again I noticed something, they had their location displayed, and it was the same country as the language originates from and the one listed in the logs.
This has to be a coincidence right? I had to look further. I figured, why not look at the base executable file again? Looking at TiktaaliksTale.exe one more time, I ran the command that started this deep dive off to begin with. I ran strings but I specifically filtered for a nickname listed in the GitHub profile. The response? Several file paths of a Windows filesystem relating to the compiler reading JS object files during compilation. The username in the file path matched exactly the nickname in the GitHub repo.
Every time this compiler is run, it needs to call to certain files that communicate with the main JS script in order to add them to the executable, so if anyone else had compiled this piece of RustlerStealer it would have shown a different name. Instead, it's the same nickname as shown on the GitHub profile.
This doesn't prove the sender is the author, but it strongly suggests this executable was compiled on a machine tied to that GitHub handle. Combined with the matching country and language context, it makes it plausible the sender was the author, or at least closely associated with them.
Conclusion
Is there anything to do about this now that almost four years have passed? In reality, not really. This is why time is so important after a crime is committed, because even though we theoretically know who the person's online handle is, the chances of us now being able to found this person in real life and bringing them to justice are slim to none. The damage has already been done, my friend recovered her accounts within the same week almost, and the author has not been active on GitHub since these events took place.
The raw GitHub links are down, so are the Discord webhooks, and script kiddies everywhere will continue to copy code and claim it for themselves as their own. There is one lesson to be learned here, though.
No matter how old a fossil is, useful information can still be dug to light. Just because you cannot catch someone outside of the virtual space doesn't mean your efforts are for nothing.
For one, this was a great exercise in OSINT, RE, and understanding critical points of OPSEC where the threat actor had failed. Understanding where this malware came from and who most likely wrote it has given me closure for something I had previously failed to understand years ago.