Security researchers have identified a weakness in the web-based dashboard used by operators of the StealC information-stealing malware, allowing them to turn the malware infrastructure against its own users. The flaw made it possible to observe attacker activity and gather technical details about the systems being used by cybercriminals.
StealC first surfaced in early 2023 and was heavily promoted across underground cybercrime forums. It gained traction quickly because of its ability to bypass detection tools and extract a wide range of sensitive data from infected devices, including credentials and browser-stored information.
As adoption increased, the malware’s developer continued to expand its capabilities. By April 2024, a major update labeled version 2.0 introduced automated alerting through messaging services and a redesigned malware builder. This allowed customers to generate customized versions of StealC based on predefined templates and specific data theft requirements.
Around the same time, the source code for StealC’s administration panel was leaked online. This leak enabled researchers to study how the control system functioned and identify potential security gaps within the malware’s own ecosystem.
During this analysis, researchers discovered a cross-site scripting vulnerability within the panel. By exploiting this weakness, they were able to view live operator sessions, collect browser-level fingerprints, and extract session cookies. This access allowed them to remotely take control of active sessions from their own systems.
Using this method, the researchers gathered information such as approximate location indicators, device configurations, and hardware details of StealC users. In some cases, they were able to directly access the panel as if they were the attacker themselves.
To prevent rapid remediation by cybercriminals, the researchers chose not to publish technical specifics about the vulnerability.
The investigation also provided insight into how StealC was being actively deployed. One customer, tracked under an alias, had taken control of previously legitimate video-sharing accounts and used them to distribute malicious links. These campaigns remained active throughout 2025.
Data visible within the control panel showed that more than 5,000 victim systems were compromised during this period. The operation resulted in the theft of roughly 390,000 passwords and tens of millions of browser cookies, although most of the cookies did not contain sensitive information.
Panel screenshots further indicated that many infections occurred when users searched online for pirated versions of widely used creative software. This reinforces the continued risk associated with downloading cracked applications from untrusted sources.
The researchers were also able to identify technical details about the attacker’s setup. Evidence suggested the use of an Apple device powered by an M3 processor, with both English and Russian language configurations enabled, and activity aligned with an Eastern European time zone.
The attacker’s real network location was exposed when they accessed the panel without a privacy tool. This mistake revealed an IP address associated with a Ukrainian internet service provider.
Researchers noted that while malware-as-a-service platforms allow criminals to scale attacks efficiently, they also increase the likelihood of operational mistakes that can expose threat actors.
The decision to disclose the existence of the vulnerability was driven by a recent increase in StealC usage. By publicizing the risk, the researchers aim to disrupt ongoing operations and force attackers to reconsider relying on the malware, potentially weakening activity across the broader cybercrime market.
