Cybersecurity researchers have revealed a cross-site scripting (XSS) vulnerability in the web-based control panel used by StealC information stealer operators. This allows us to gather important insights into one of the attackers who use the malware in production.
“By exploiting this, they were able to collect system fingerprints, monitor active sessions, and, in a development that surprised no one, steal cookies from the very infrastructure they were designed to steal them from,” CyberArk researcher Ari Novik said in a report published last week.
StealC is an information theft vector that first emerged in January 2023 based on a malware-as-a-service (MaaS) model, allowing potential customers to distribute malicious programs under the guise of cracks of popular software, using YouTube as a primary mechanism (a phenomenon known as the YouTube Ghost Network).
Over the past year, this stealer has also been observed spreading via malicious Blender Foundation files and a social engineering tactic known as FileFix. Meanwhile, StealC received its own update, bringing Telegram bot integration for sending notifications, payload delivery enhancements, and a redesigned panel. The updated version was codenamed StealC V2.
A few weeks later, the source code for the malware’s admin panel was leaked, giving the research community the opportunity to identify characteristics of threat actors’ computers, including their rough location and details about their computer hardware, and to retrieve active session cookies from their machines.
The exact details of the XSS flaw in the panel are not disclosed to prevent developers from plugging the hole or other imitators from trying to use the leaked panel to launch their own stealer MaaS services.
Generally, an XSS flaw is a type of client-side injection that allows an attacker to obtain a susceptible website and execute malicious JavaScript code in a web browser on a victim’s computer when the site is loaded. These occur as a result of user input not being validated and properly encoded, allowing attackers to steal cookies, impersonate users, and access sensitive information.
“Given that the StealC group’s core business includes cookie theft, one might expect StealC’s developers to be cookie experts and implement basic cookie security features such as httpOnly to prevent researchers from stealing cookies via XSS,” Novick said. “The irony is that an operation built around large-scale cookie theft failed to protect its own session cookies from textbook attacks.”
CyberArk also shared details of a StealC customer named YouTubeTA (short for “YouTube Threat Actor”). The customer used Google’s video sharing platform extensively to distribute stealers by promoting cracked versions of Adobe Photoshop and Adobe After Effects, and had amassed more than 5,000 logs, including 390,000 stolen passwords and more than 30 million stolen cookies. Most cookies are rated as tracking cookies and other non-sensitive cookies.
These efforts are suspected to have allowed attackers to seize control of legitimate YouTube accounts and use them to promote cracked software and create self-perpetuating propagation mechanisms. There is also evidence that fake CAPTCHA lures like ClickFix were used to distribute StealC, suggesting that these are not limited to infections via YouTube.
Further analysis revealed that this panel allows operators to create multiple users and differentiate between administrator users and regular users. In the case of YouTubeTA, only one admin user is known to appear on the panel, and this user is said to be using an Apple M3 processor-based machine with English and Russian language settings.
In what could be described as an operational security mistake on the attacker’s part, location information was exposed around mid-July 2025 when the attacker forgot to connect to the StealC panel via a virtual private network (VPN). This revealed the real IP address that was associated with a Ukrainian provider called TRK Cable TV. Our findings indicate that YouTubeTA is a lone wolf actor operating in Eastern European countries where Russian is commonly spoken.
The study also highlights the impact of the MaaS ecosystem. While the MaaS ecosystem allows threat actors to grow at scale in a short period of time, it also unintentionally exposes them to security risks that legitimate enterprises deal with.
“StealC developers have demonstrated weaknesses in both cookie security and panel code quality, which allowed us to collect large amounts of data about our customers,” CyberArk said. “If this holds true for other attackers selling malware, researchers and law enforcement could also use similar flaws to gain insight into, and perhaps even reveal the identity of, many malware operators.”
Source link
