Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

StealC Stealer

StealC Stealer is an information-stealing malware family distributed through multiple social-engineering and malware-delivery ecosystems. The provided reporting places it in campaigns abusing trusted platforms and user-interest lures, including bogus GitHub repositories, SEO-poisoned results, fake software and game-cheat downloads, compromised YouTube accounts in the "YouTube Ghost Network," and ClickFix-style prompts delivered via compromised WordPress sites impersonating verification or installation flows. It has been observed as one of several payloads delivered by the CastleLoader malware-as-a-service ecosystem operated by the threat actor GrayBravo, and it is also referenced in reporting that describes StealC as an improved version of Vidar Stealer. The malware is associated with Windows compromises in the cited ClickFix/WordPress activity. No direct technical indicators specific to StealC itself are provided in the content, but the surrounding delivery infrastructure includes malicious links hosted on services such as MediaFire, Dropbox, Google Drive, Google Sites, Blogger, Telegraph, and bogus GitHub repositories, as well as YouTube videos and compromised WordPress sites used to lure victims.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1608.006SEO PoisoningEvidence1

Unsuspecting users are directed to these repositories through techniques like SEO poisoning.

Initial Access

1 technique
T1189Drive-by CompromiseEvidence1

Highly trusted WordPress websites are being compromised as part of an ongoing, widespread campaign designed to inject a ClickFix implant impersonating a Cloudflare human verification challenge.

Execution

1 technique
T1204User ExecutionEvidence1

Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands.

Credential Access

1 technique
T1649Steal or Forge Authentication CertificatesEvidence1

The stealer is equipped to harvest a wide range of data from compromised hosts, including exfiltrating credentials, files, keychain databases, and seed phrases from cryptocurrency wallets.

Discovery

1 technique
T1012Query RegistryEvidence1

The following analytic detects an access request on the uninstall registry key... adversaries or malware can exploit this key to gather information about installed applications, aiding in further attacks.

Collection

1 technique
T1005Data from Local SystemEvidence1

The stealer is equipped to harvest a wide range of data from compromised hosts, including exfiltrating credentials, files, keychain databases, and seed phrases from cryptocurrency wallets.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
Apr 28, 2026
Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign

Referenced as a stealer malware family distributed through bogus GitHub repositories.

Read more
the hacker newsNews
Mar 16, 2026
ClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers

A Windows stealer malware family used as an end payload in compromised WordPress ClickFix campaigns.

Read more
splunk researchNews
Feb 25, 2026
Detection: CMD Carry Out String Command Parameter | Splunk Security Content

An information-stealing malware family referenced as an associated analytic story.

Read more
the hacker newsNews
Dec 9, 2025
Four Threat Clusters Using CastleLoader as GrayBravo Expands Its Malware Service Infrastructure

StealC Stealer is an information stealer malware distributed via the CastleLoader framework.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.