ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Analyst On Demand
Incident Response
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
StealC V2: Advanced Infostealer Malware
2025.07.01

✅ Report Title: Analysis of StealC V2 Malware



✅ Executive Summary:


- StealC is a C-based infostealer malware first advertised by a user named "plymouth" on a Deep & Dark Web (DDW) forum around January 2023.


- In March 2025, the same user announced the release of StealC V2, claiming a new codebase, server-side decryption of Chromium-based browser cookies, and a server-side password bruteforcing feature.


- StealC V2 does not decrypt browser credentials locally. Instead, it exfiltrates Login Data, Cookies, and the master key to its C2 server, where decryption is handled server-side. It also supports chunked data exfiltration for large files.


- Through loader-type commands, StealC V2 can download and execute additional payloads using PE execution, PowerShell, or MSI installers.


- The malware communicates with the C2 server to retrieve configuration data and dynamically define its target for information theft.



📌 How does StealC V2 operate?


- String decode: Decrypts necessary WinAPI function names and strings at runtime using the RC4 algorithm.


- Region Validation: Detects the language environment of the infected system to avoid targeting CIS countries.


- Time-based evasion: Checks system time and prevents execution if it falls outside a defined window.


- Stealing Tasks: Communicates with the C2 server via HTTP/S POST to retrieve configuration and exfiltrate user data. All stolen data is transmitted in Base64-encoded format.



📌 What are the key characteristics of StealC V2?


- Dynamic C2-based target selection: StealC obtains real-time configuration from its C2 server, allowing attackers to easily modify or update target lists without changing the malware itself.


- Server-side decryption and exfiltration: For Chromium-based browsers, StealC V2 exfiltrates both the encrypted files and the master key, allowing the server to handle decryption. Files are sent via separate HTTP requests rather than archived on the client, helping bypass real-time antivirus detection and minimizing data loss.


- Analysis evasion techniques: String and WinAPI names are encrypted using RC4 and decrypted during execution. It avoids CIS targets by checking language settings, and uses time-based evasion by limiting execution to a specific time window. Notably, previous versions' anti-sandbox functionality has been removed, and its duplicate execution prevention appears to be ineffective.


- Payload execution functionality: StealC supports downloading and executing additional payloads via C2 commands. Supported methods include PE files, PowerShell scripts, and MSI installers, allowing attackers to inject additional malicious behavior into compromised systems.



✅ Detection Recommendations and Mitigation:


StealC V2 is a highly advanced infostealer equipped with dynamic configuration, server-side decryption, evasion techniques, and support for flexible payload execution. Ongoing version updates are expanding both the types and scope of data being stolen, requiring increased vigilance and proactive security response.


For more detailed analysis and response guidelines, please contact us through the link below.




🧑‍💻 Author: S2W TALON (Updated. 2025-03-07)


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


News Highlights
Weekly Darkweb in June W3
2025.06.25
Previous
News Highlights
Weekly Darkweb in June W4
2025.07.02
Next
List