StealC Malware Receives A Massive Upgrade
According to security firm ZScaler, the popular information stealer and malware downloader StealC has received a massive upgrade in recent months and is currently tracked by multiple sources as Stealc_v2.
StealC has been sold on underground hacking forums since January 2023. In March 2025, StealC version 2 was introduced, with massive updates designed to improve the malware's ability to steal data and evade detection. The malware has been in constant development since its launch, with version 2, or Stealc_v2, marking a significant upgrade over the previously existing version.
At the time of writing, Stealc_v2 can target and steal data from over twenty Chromium and Gecko-based browsers. It attempts to steal browsing histories, Internet cookies, auto-fills used to conveniently fill out web forms and logins, passwords (except for Firefox), and credit/debit card numbers.
Stealc_v2 tries to obtain data associated with over one hundred browser extensions, including those linked to cryptocurrency. Further, later versions of the malware can take screen captures from machines, including those set up to use multiple monitors. Regarding Firefox, password data can still be stolen but is done differently; more on this below.
Previous analysis of version 2 revealed that malware developers had added the following features:
- Version control enforcement: The builder requires a version update that is provided in a ZIP archive to be uploaded via the framework's admin settings. This ensures that operators cannot install older versions than the most recently applied update.
- Telegram bot integration: The control panel supports Telegram bot integration for sending notifications and allows customization of message formats.
- Rule-based payload delivery: Payload delivery depends on rules created by the operator, such as bot geolocation, build IDs, markers triggered, or identified software/processes during the information-gathering phase. These rules dictate how payload responses are generated.
- Ongoing development: The panel is rapidly evolving, with partially implemented features like Firefox plugin loading. As previously mentioned, RC4 encryption for network communication was initially commented out. The recently released update (version 2.2.0) enabled RC4 encryption for network communications.
- Endpoint file handling: The control panel endpoint supports file-based uploads (e.g., multipart/form-data) similar to StealC V1 but now exclusively processes upload_file commands.
- IP and HWID-based blocking: The panel allows operators to block communications based on IP addresses (or IP masks) and specific HWIDs. Additionally, IP addresses can be automatically blocked for the remainder of the day after the communication process is completed.
- Fake 404 error for C2 discovery evasion: Early versions of the panel served fake 404 Not Found pages. However, a researcher noticed this fake response could be used to easily detect StealC V2 servers, and newer updates reportedly patched this behavior.
- Basic RC4 implementation: Despite the first StealC V2 advertisement claiming to implement a custom RC4 algorithm, the RC4 implementation used is standard.
Newer additions discovered by ZScaler include improved downloading and executing payloads in three formats: executable (EXE) files, Microsoft Software Installer (MSI) packages, and PowerShell scripts. Depending on the loader configuration parameter provided by the command-and-control server in the initial response, this functionality can be triggered either before or after the data-stealing functions are executed.
Data Theft
Upon early releases of Stealc_v2, Trac-Labs provided a detailed analysis of the malware. Of particular interest was how data is exfiltrated and decrypted by threat actors. Currently, much of the malware's theft capabilities rest on server-side decryption of Chrome-based browser cookies and passwords.
Researchers noted that this is not possible for Firefox and server-side brute-forcing of crypto plugins. While server-side decryption is not possible for Firefox, the malware can decrypt Firefox passwords and cookies directly within the binary itself rather than exfiltrate them to the server-side infrastructure.
For Chrome versions prior to version 80, researchers stated,
For Chrome versions prior to v80 (referred to as “v10” in the code), the stealer uses a straightforward decryption technique. It accesses Chrome’s “Login Data” SQLite database file, which contains encrypted credentials identifiable by the “DPAPI” signature. The stealer leverages Chrome’s pre-v80 implementation: passwords were encrypted using AES with a static, hardcoded key that remained consistent across all Chrome installations. This allows the stealer to directly decrypt the credentials without requiring additional system privileges or complex operations.
For versions 80 and above, researchers stated,
For Chrome v80+ credentials, the stealer leverages APC (Asynchronous Procedure Call) injection to bypass Chrome’s improved security model. The process begins by creating a suspended process using CreateProcessA with a path received from the caller (Chrome’s executable path). Once the process is created, the stealer allocates memory within this process using VirtualAllocEx, securing 153,088 bytes of executable memory, it then writes the custom embedded payload into this allocated memory using WriteProcessMemory. This payload contains the code necessary to interact with the Windows DPAPI and Chrome’s encryption mechanisms within the context of a legitimate Chrome process. The injected custom payload establishes a COM connection with Windows cryptographic services using CoCreateInstance and CoSetProxyBlanket, directly interfacing with DPAPI. It targets Chrome’s Local State file, extracts the encrypted master key, and leverages the COM interface to decrypt it, transmitting the result back to the main stealer process through a named pipe. The C2 [command-and-control] server contains a PHP implementation that handles the standard cryptographic operations using AES-256-GCM to decrypt the credentials once it receives the master key from the client.
In conclusion, Stealc_v2 introduces improvements, such as enhanced payload delivery, a streamlined communications protocol with encryption, and a redesigned control panel that provides more targeted information collection.
Stealc_v2 is frequently used in conjunction with other malware families, such as Amadey, a strain of malware capable of downloading and installing other malware, stealing personal information, logging keystrokes, sending spam from a victim's computer, and adding an infected computer to a botnet.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion