HQ/EMEAFind out how we can help your business
The StealC malware developers have launched the second major version of the infostealer that features numerous enhancements in stealth and data theft.
While the latest iteration of StealC became accessible to cybercriminals last month, researchers recently released a thorough analysis after examining it. Several minor bug fixes and incremental updates introduced new functionalities shortly after the latest version, 2.2.4.
StealC is a lightweight info-stealer malware that gained traction on the dark web in early 2023. It is available for $200 per month.
Last year, widespread malvertising campaigns and attacks appeared, forcing systems into unavoidable kiosk modes. Researchers confirmed that StealC’s development was highly active, with developers implementing a bypass for Chrome’s ‘App-Bound Encryption’ cookie-theft protections, allowing for the regeneration of expired cookies to hijack Google accounts.
StealC upgraded various capabilities that make infection campaigns more efficient.
Released in March 2025, the new version of StealC presents several significant upgrades aimed at improving payload delivery, stealth, and operational flexibility. Essential enhancements include support for EXE files, MSI packages, PowerShell scripts, and configurable payload triggering.
In addition, the code strings and C2 communications are now protected by RC4 encryption, which uses randomised parameters to bypass detection. The malware has also been optimised for 64-bit systems, dynamically resolves API functions at runtime, and includes a self-deletion feature to minimise forensic traces.
Furthermore, the operational improvements include a built-in builder for creating custom StealC builds with specific data theft protocols, real-time Telegram bot notifications for operators, and functions for capturing screenshots across multiple monitors.
This update also eliminates certain features like anti-VM checks and DLL downloading/execution, indicating a potential shift in strategy aimed at streamlining and reducing behavioural indicators.
These adjustments might represent an effort to simplify the malware, but they could also stem from extensive code restructuring and may be reinstated in a better form in future updates.
In the latest reported attacks, the malware was employed by a different malware loader; however, various operators may alter their attacks’ delivery methods or sequences.
The public should avoid storing sensitive information in their browser for convenience, use MFA to secure accounts, and refrain from downloading pirated or questionable software from unreliable sources to protect data from infostealer malware operators.
