The Arkanix stealer is a new malware family now spreading in the wild. It targets home users and small offices that rely on VPN clients and wireless networks for daily work.
Once active, it focuses on stealing VPN account data, Wi‑Fi profiles, browser credentials, and desktop screenshots.
This gives attackers direct access to private networks and a clear view of what the victim is doing.
Early attacks use simple but effective lures. Victims are tricked through fake software downloads, cracked tools, or email links that drop a small loader.
This loader then pulls the main Arkanix payload from a remote server and runs it without drawing attention.
The whole chain is built to look like a normal installer, which helps it blend into routine user activity.
G Data Cyber Defense security analysts identified Arkanix during an investigation into new info‑stealing campaigns.
Their telemetry showed repeated theft of VPN profiles and Wi‑Fi keys from systems in Europe and other regions, with the same code base behind the attacks.
Further analysis revealed a modular design that lets operators switch targets quickly, from browser data to screenshots or other files.
Once loaded, Arkanix scans the system for VPN configuration files, password stores, and saved wireless profiles. It exports them into a single archive, adds fresh screenshots from the active desktop, and then sends everything to a command‑and‑control (C2) server.
.webp "New Arkanix Stealer Attacking Users to Steal VPN Accounts, Screenshots and Wi-Fi Credentials 3")
Network captures show outbound HTTPS requests that hide this theft inside encrypted traffic, making it harder to spot.
Infection chain and data theft
The main binary runs simple but focused code to collect data. A common pattern is a loop that walks known paths for VPN and Wi‑Fi data, then posts them to the C2 endpoint:-
for each(path in target_paths){
grab_files(path);
}
take_screenshot();
upload_to_c2(zip_all());A configuration panel used by the malware author controls which modules run, such as Wi‑Fi theft or screenshot capture.
.webp "New Arkanix Stealer Attacking Users to Steal VPN Accounts, Screenshots and Wi-Fi Credentials 4")
This complete technical breakdown shows that Arkanix is built for direct access: steal VPN accounts, map Wi‑Fi networks, watch the screen, and then let intruders move into those environments with very little effort.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
