StealC

StealC is a cybercriminal malware-as-a-service (MaaS) information-stealer ecosystem first observed in January 2023 and advertised on Russian-speaking underground forums (reported pricing: ~$300/month as of Dec 2025). It is distributed via social-engineering and malware delivery lures including YouTube “cracked software” videos (the “YouTube Ghost Network”), malvertising chains (including SVG/PowerShell), ClickFix-like fake CAPTCHA pages, FileFix, and malicious Blender (.blend) files (including campaigns targeting Blender users). StealC targets credentials, cookies, autofill data, and files from 23+ browsers and 15+ cryptocurrency wallets, and also steals from apps such as Discord, Telegram, and Outlook; stolen logs are traded on underground markets (e.g., Russian Market) and are linked to downstream activity such as credential stuffing and ransomware operations (e.g., Akira). Technically, StealC is described as a non-resident, C-based stealer with evasion features including dynamic WinAPI resolution, anti-analysis checks, and runtime decryption; exfiltration is via HTTP POST to C2 using RC4-encrypted JSON in V2. The operation uses a web-based administration panel (V2 introduced a redesigned panel, Telegram bot notifications, and other management features; the panel source code was leaked), and researchers reported 40+ C2 servers with rapid rotation and use of low-reputation/bulletproof hosting. CyberArk reported and exploited an XSS vulnerability in the StealC operators’ web panel to collect operator system fingerprints, monitor sessions, and steal session cookies (noting missing cookie protections such as httpOnly). CyberArk also profiled a StealC customer dubbed “YouTubeTA,” assessed to be a lone, Russian-speaking actor using YouTube to push fake Adobe Photoshop/After Effects cracks; CyberArk reported this actor amassed 5,000+ logs containing ~390,000 passwords and 30M+ cookies, and an OPSEC failure in mid-July 2025 exposed an IP associated with Ukrainian ISP TRK Cable TV.