Mercurial Grabber.exe May 2026

Collects machine info, including Windows product keys, IP addresses, hardware specs, and desktop screenshots.

The file is the compiled output of an open-source information stealer (infostealer) originally published on GitHub in 2021. While its creators claimed it was for "educational purposes," it has been widely adopted by threat actors to steal personal data from gamers and casual web users.

Extracts stored passwords, cookies, and autofill data from popular browsers like Google Chrome, Opera, Brave, and Yandex . Mercurial Grabber.exe

Attackers rarely name the file "Mercurial Grabber.exe" when sending it to victims. Instead, they disguise it as:

The stolen data is bundled and sent via an HTTP POST request to the attacker's Discord webhook. Risk Mitigation If you suspect an infection: Collects machine info, including Windows product keys, IP

Distributed via phishing emails or "freeware" links in YouTube descriptions and Discord servers. Typical Infection Cycle

The user runs the .exe . It may show a fake error message or a simple GUI to appear legitimate. Extracts stored passwords, cookies, and autofill data from

Never download software from unofficial sources, especially those that ask you to disable your antivirus before running. Ransomware Roundup - DoDo and Proton | FortiGuard Labs