StealC, a notorious information stealer and malware downloader first sold in January 2023, has rolled out its version 2 (V2) in March 2025 with sophisticated enhancements.
This latest iteration introduces a range of new capabilities, focusing on advanced payload delivery methods that include Microsoft Software Installer (MSI) packages and PowerShell scripts alongside traditional executable (EXE) files.
According to Zscaler Report, this development marks a notable evolution from StealC V1, expanding the malware’s reach and complexity.
The redesigned control panel now features an integrated builder, allowing threat actors to customize payload delivery based on geolocation, hardware IDs (HWID), and installed software, making targeted attacks more precise and effective.
Additionally, StealC V2 incorporates RC4 encryption in its recent variants (post-version 2.1.1), a streamlined JSON-based command-and-control (C2) communication protocol, and server-side brute-forcing for credential harvesting, underscoring its active development and increasing threat potential.
Technical Innovations and Evolving Threat Mechanisms
Delving deeper into the technical upgrades, StealC V2 has abandoned several features of its predecessor, such as anti-VM checks and third-party DLL downloads, while introducing multi-monitor screenshot capture and a unified file grabber targeting crypto wallets, gaming applications, VPNs, email clients, and browsers.
The malware, often packed with Themida for obfuscation, employs a two-stage deobfuscation process for strings and uses hardcoded RC4 keys for decrypting critical data, including an expiration date that terminates execution if surpassed.
Unlike StealC V1, the new version compiles for x64 architectures and supports Chrome v20 application-bound encryption, showcasing its adaptability to modern systems.
Payload execution is notably refined-MSI files are installed silently via msiexec.exe with retry mechanisms, while PowerShell scripts are executed remotely without retries, enhancing the malware’s stealth and persistence.
Network communication now leverages JSON requests with a unique random parameter to evade static signatures, and error codes from the C2 server provide detailed feedback on malformed requests, a significant improvement over V1’s rudimentary responses.
The control panel’s evolution, including Telegram bot integration for notifications and rule-based payload delivery, empowers operators to trigger specific loaders based on markers like “coinbase.com” in stolen data, illustrating a highly targeted approach to data exfiltration.
StealC V2’s ongoing updates, managed by its development team via ZIP archives containing builder templates and version configurations, ensure operators are locked into the latest versions, further complicating mitigation efforts.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| Packed Sample SHA256 (StealC V2) | 0b921636568ee3e1f8ce71ff9c931da5675089ba796b65a6b212440425d63c8c |
| Packed Sample SHA256 (StealC V2) | e205646761f59f23d5c8a8483f8a03a313d3b435b302d3a37061840b5cc084c3 |
| Unpacked Sample SHA256 (StealC V2) | a1b2aecdd1b37e0c7836f5c254398250363ea74013700d9a812c98269752f385 |
| Unpacked Sample SHA256 (StealC V2) | 27c77167584ce803317eab2eb5db5963e9dfa86450237195f5723185361510dc |
| Dropped Payload SHA256 (Amadey) | dd36c7d50cb05761391a7f65932193ec847d34f8ba1bb2f2a43ecf4985d911f4 |
| Malware Dropping StealC V2 SHA256 (Amadey) | 87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f |
| StealC V2 C2 Server | http://45.93.20[.]64/c090b39aa5004512.php |
| StealC V2 C2 Server | http://45.93.20[.]28/3d15e67552d448ff.php |
| StealC V2 C2 Server | http://88.214.48[.]93/ea2cb15d61cc476f.php |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
