StealC

StealC is an information stealer sold as a malware-as-a-service by a developer known as Plymouth on Russian-speaking underground forums since January 2023. Subscriptions run $200 per month, and the developer openly stated that StealC's design borrows from Vidar, Raccoon, Mars, and RedLine. The V1 source code was later offered at $3,000 per copy, which expanded the operator base beyond direct subscribers.

The stealer targets credentials and session data from over 20 browsers, 50+ cryptocurrency wallet extensions, email clients including Outlook, messaging apps like Telegram and Discord, and Steam authentication tokens. A file grabber sweeps user directories for documents, database files, and wallet data. Version 2, released in March 2025, changed how browser credentials are handled. Chromium passwords and cookies are no longer decrypted on the victim's machine. Instead, the encrypted login data and master key get exfiltrated to the C2 server for server-side decryption. This sidesteps Chrome's application-bound encryption and shrinks the malware's local detection footprint.

C2 communication uses a JSON-based HTTP protocol on port 80. The bot registers with a build ID and hardware fingerprint, receives an access token and collection config, then uploads stolen data as Base64-encoded payloads with chunking for large files. String obfuscation uses two-stage RC4 with hardcoded keys, and network traffic gained RC4 encryption in later V2 builds. C2 URLs follow a consistent pattern of random hexadecimal PHP endpoints. The malware refuses to run on systems with CIS country language settings and can self-delete on command from the server.

Distribution runs through third-party delivery services rather than by StealC operators directly. The biggest vector is ClickFix, a social engineering technique where compromised websites show fake CAPTCHA pages that trick users into pasting PowerShell commands. Other chains include the Amadey botnet loader, MintsLoader via phishing attachments, and AI-generated TikTok and YouTube videos posing as software activation tutorials. One TikTok video telling users to run a PowerShell command hit roughly 500,000 views. A separate campaign built a fake meeting app called Vortax, pushed through crypto-focused Discord and Telegram channels, and stole over $245,000 in cryptocurrency. Stolen StealC credentials have also fed into ransomware operations, with initial access brokers reselling harvested VPN credentials.

Infrastructure sits on raw IP addresses hosted by bulletproof providers across the Netherlands, Finland, Germany, and Russia. Domain-based C2 servers use cheap disposable TLDs like .top, .icu, and .sbs. At its V1 peak in August 2023, over 120 C2 servers were active at once. The V2 admin panel source code leaked publicly in late 2025. Researchers then found an XSS vulnerability in the panel that let them steal operator session cookies - a fitting weakness in a tool built to steal cookies.