Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Arkanix

Arkanix is an information-stealing malware family first publicly noted in late 2025 and observed in the wild by 2026. Reporting describes it as a new or “next-gen” stealer marketed for theft of sensitive data and short-term financial gain. Arkanix has been characterized as blending rapid Python-based harvesting with stealthier C++ payloads, and as using C++ process injection to bypass Google Chrome App-Bound Encryption. Kaspersky analysis cited in the source material states Arkanix was likely developed as an LLM-assisted experiment and that it was promoted on underground forums in October 2025. The available content identifies it broadly as an infostealer but does not provide specific victim sectors, delivery vectors, threat-actor attribution, or concrete indicators of compromise.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique
T1055Process InjectionEvidence1

"Next-Gen Stealer Arkanix Bypasses Chrome App-Bound Encryption Using C++ Process Injection"

Stealth

1 technique
T1055Process InjectionEvidence1

"Next-Gen Stealer Arkanix Bypasses Chrome App-Bound Encryption Using C++ Process Injection"

Credential Access

1 technique
T1555Credentials from Password StoresEvidence1

“Multiple information stealer families… demand for off-the-key stealer malware… stealer logs… sold to initial access brokers”

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Information stealer offered as malware-as-a-service; assessed to have been developed with LLM assistance and later taken down, with stolen logs feeding initial access and broader cybercrime ecosystems.

Read more
the hacker newsNews
Mar 2, 2026
⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Information-stealing malware (MaaS) reportedly developed with LLM assistance; marketed in underground forums and used to harvest credentials/logs that can be resold for initial access.

Read more
cso onlineNews
Feb 23, 2026
New Arkanix stealer blends rapid Python harvesting with stealthier C++ payloads | CSO Online

Information-stealing malware (“stealer”) described as combining a fast Python-based data-harvesting component with a stealthier C++ payload.

Read more
the hacker newsNews
Dec 8, 2025
⚡ Weekly Recap: USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More

A newly marketed information stealer designed to exfiltrate sensitive data for financial gain.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.