Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label dark web cybercrime. Show all posts
XSS Vulnerability
CyberArk research dark web cybercrime info-stealer malware malware Malware-as-a-Service StealC malware XSS Vulnerability

StealC Malware Operators Exposed After XSS Bug Leaks Session and Hardware Data

 

A cross-site scripting (XSS) vulnerability in the web-based management panel used by StealC information-stealing malware operators enabled security researchers to monitor live activity and collect intelligence about the attackers’ systems.

First appearing in early 2023, StealC quickly gained traction on dark web forums due to aggressive promotion and its ability to evade detection while harvesting large volumes of sensitive data. Over time, the malware continued to evolve, with its developer rolling out several upgrades to expand functionality and appeal among cybercriminals.

A major update arrived in April last year with the launch of StealC version 2.0. This release introduced Telegram bot integration for real-time notifications, along with a revamped builder capable of creating customized malware samples based on templates and tailored data-exfiltration rules. Around the same period, the source code for StealC’s administrative panel was leaked, allowing researchers deeper insight into its internal workings.

CyberArk analysts later identified an XSS flaw within the panel that proved particularly revealing. By abusing this weakness, the team was able to gather browser and hardware fingerprints of StealC operators, monitor ongoing sessions, extract session cookies, and remotely take over active panel logins.

“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details,” the researchers say.

“Additionally, we were able to retrieve active session cookies, which allowed us to gain control of sessions from our own machines.”

To avoid tipping off attackers and enabling a rapid fix, CyberArk chose not to publish technical specifics about the XSS issue.

The research also details a StealC user tracked as ‘YouTubeTA’, who reportedly took over dormant but legitimate YouTube channels—likely through stolen credentials—and used them to distribute malicious links. Throughout 2025, this actor conducted sustained malware campaigns, amassing more than 5,000 victim logs, roughly 390,000 passwords, and around 30 million cookies, the majority of which were non-sensitive.

Screenshots from the attacker’s control panel suggest that infections largely occurred when victims searched online for pirated versions of Adobe Photoshop and Adobe After Effects. Exploiting the XSS flaw further allowed researchers to profile the attacker’s setup, revealing the use of an Apple M3-based machine configured with English and Russian language settings, operating in an Eastern European time zone, and connecting from Ukraine.

The individual’s real location was exposed after they accessed the StealC panel without a VPN, revealing an IP address tied to Ukrainian internet provider TRK Cable TV.

CyberArk emphasized that while malware-as-a-service (MaaS) platforms allow threat actors to scale operations quickly, they also introduce significant risks by increasing the chances of operational exposure.

BleepingComputer reached out to CyberArk to understand the timing behind the disclosure. Researcher Ari Novick explained that the decision was driven by a recent surge in StealC activity, possibly linked to upheaval surrounding the Lumma malware ecosystem.

"By posting the existence of the XSS we hope to cause at least some disruption in the use of the StealC malware, as operators re-evaluate using it. Since there are now relatively many operators, it seemed like a prime opportunity to potentially cause a fairly significant disruption in the MaaS market."
Read more »
Subscribe to: Comments (Atom)