Mercurial Grabber.exe · Confirmed & Quick

Specifically targets Minecraft (launch profiles) and Roblox (.ROBLOSECURITY cookies) to hijack gaming sessions.

Fake "FiveM" cheats, Minecraft mods, or Roblox exploits. Cracked Software: Keygens or installers for paid software. Mercurial Grabber.exe

Scrapes local LevelDB files to steal Discord authentication tokens, allowing attackers to bypass 2FA and take over accounts. Scrapes local LevelDB files to steal Discord authentication

Includes basic anti-debugging and anti-VM (Virtual Machine) checks to detect if it is being run by a security researcher in a sandbox. Delivery Methods they disguise it as:

Distributed via phishing emails or "freeware" links in YouTube descriptions and Discord servers. Typical Infection Cycle

Never download software from unofficial sources, especially those that ask you to disable your antivirus before running. Ransomware Roundup - DoDo and Proton | FortiGuard Labs

Attackers rarely name the file "Mercurial Grabber.exe" when sending it to victims. Instead, they disguise it as: