StealC
StealC is a malware-as-a-service infostealer active since January 2023 and widely described as an infostealer-as-a-service or information-stealing malware with optional dropper/loader functionality. It is designed to extract passwords, stored access data, digital identities, authentication cookies, session tokens, autofill data, credit card details, cryptocurrency wallet data, browser extensions, and files matching operator- or affiliate-defined patterns from compromised Windows systems. Reported targets include Chromium-based and Gecko-based browsers, desktop applications, mail and messaging clients such as Outlook, Thunderbird, Telegram and Discord, file transfer and VPN tools such as FileZilla, WinSCP, OpenVPN and ProtonVPN, gaming applications such as Steam, and crypto wallets. StealC also collects broad system information from infected hosts and can download and execute follow-on payloads, making it useful both for credential theft and as an initial-access enabler in larger attack chains.
The malware is sold to affiliates through a self-hosted control-panel model and has been advertised on criminal forums by the actor using the moniker "plymouth." Content indicates StealC received a major version 2 architectural update in March 2025 and had reached versions around 2.22.x by mid-2026. Researchers describe StealC v2 as using JSON over HTTP with RC4-encrypted communications and per-build or per-victim configuration. Affiliates operate their own infrastructure rather than relying on a single centralized backend.
StealC is frequently used alongside Amadey, which commonly provides initial access or delivers StealC as a second-stage payload. Observed delivery vectors in the provided content include phishing, software downloads from untrusted sources, fake software updates, cracked software installers, third-party malware loaders, SEO abuse, malvertising, GitHub and GitLab-hosted payloads, and traffic-team distribution through social media and forums. One documented December 2025 campaign used Amadey to download StealC from https://gitlab[.]bzctoons.net/suau/fds/-/raw/main/protected.zip, extract x64_protect.exe, and connect to a StealC C2 at http://158.94.208.130/8528aa6d5ece46dc.php. Reported sample hashes from that campaign include StealC payload SHA256 b5d4cc84845cb101f8bda324729ebedd8acd36cc8ec32f80969c4fb6d3c2b8a7.
StealC has also been observed delivering or facilitating additional malware, including Amadey, AsyncRAT, RedLine Stealer, Vidar, XTinyLoader, XMRig, HijackLoader, SectopRAT, SmokeLoader, zgRAT, and in at least one case LockBit Black ransomware via XTinyLoader. This supports its role in broader cybercrime workflows involving credential theft, resale of logs, fraud, and follow-on ransomware deployment.
The malware has been the subject of major international disruption activity under Operation Endgame in June 2026. Europol, Microsoft, Proofpoint, IBM X-Force, ESET, BitSight, Shadowserver, and multiple law-enforcement agencies targeted StealC infrastructure, with reporting tying the broader action to 326 servers, 142 domains, roughly 27 million stolen credentials, and more than EUR 41 million in criminal crypto assets. Microsoft reported that infrastructure tied to Amadey and StealC reached more than 140,000 infected machines globally in early May, and that more than 200 command-and-control servers were disrupted. Proofpoint and IBM X-Force reported discovering and exploiting a directory traversal vulnerability in the PHP-based StealC C2 panel, caused by improper sanitization of filenames containing forward slashes during ZIP extraction, which allowed web-shell upload to StealC servers; the developers patched this flaw in February 2026.
High-confidence indicators and observables directly mentioned in the content include the GitLab payload URL above; StealC C2 http://158.94.208.130/8528aa6d5ece46dc.php; and references to StealC V2 / v2.22.x. The malware is consistently characterized in the content as a pervasive infostealer in the cybercrime ecosystem, used for theft of credentials and sensitive data for later illicit use including account compromise, data trading, fraud, and enabling downstream intrusions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Developer tools: n8n workflows, CCNA labs, 7-Zip CVE-2025-0411 PoC, Cursor.so, Sora AI
Groups observed using it
16 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A user named @amdfx6300 on the Lolz Guru forum posted a thread titled “[LOGS] Dungeon Team Reborn · Stealc V2/Rhadamanthys · Fud Loader (0VT) / Fud Crypt | Seo Yt/Github.”
StealC, on the other hand, has leveraged various initial access vectors ranging from malware loaders (including Amadey) and ClickFix lures, and is equipped to extract sensitive information, such as screenshots, credentials, session cookies, autofill entries, credit card data, browsing history, and extension data. ... It also acts as a secondary loader, capable of downloading and executing EXE, MSI, or PowerShell payloads based on commands from an external server.
StealC, on the other hand, has leveraged various initial access vectors ranging from malware loaders (including Amadey) and ClickFix lures, and is equipped to extract sensitive information, such as screenshots, credentials, session cookies, autofill entries, credit card data, browsing history, and extension data. ... It also acts as a secondary loader, capable of downloading and executing EXE, MSI, or PowerShell payloads based on commands from an external server.
The group has been linked to past campaigns that delivered dangerous tools including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.
Diversified Malware Toolkit: Crazy Evil uses advanced tools like Stealc and AMOS for Windows and macOS, ensuring widespread compromise.
Amadey is a modular Windows botnet sold as MaaS by author "InCrease" on XSS/Exploit forums, active since 2018. It commonly drops Lumma, StealC, RedLine, CoinMiners, and RATs.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
5 techniques
Initial Access
De buitgemaakte gegevens kunnen door criminelen gebruikt worden om zich voor te doen als het slachtoffer en er zodoende geld van te stelen, of om toegang te verkrijgen tot (bedrijfs)netwerken en daar meer slachtoffers te maken.
Via onder andere downloads van software uit onbetrouwbare bronnen of via phishing mails worden slachtoffers besmet.
The researchers found that the PHP-based backend stored files with their original file name and used a sanitization function that failed to sanitize file names containing forward slashes... Researchers exploited the flaw by crafting files names with path traversal constructs to the escape intended temp directory and write a web shell to the C2 server.
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
They promote popular apps or cracked versions of apps as free downloads... Operate fake casinos or gambling sites through phishing panels that replicate the UI of legitimate casino sites.
Credential Access
4 techniques
Credential Access
T1528 Steal Application Access Token Stealc targets application tokens (e.g., crypto wallets, messaging apps).
This can lead to theft of corporate virtual private network (VPN) credentials, single sign-on (SSO) tokens, and session cookies that could allow an attacker to bypass multi-factor authentication (MFA).
Discovery
1 technique
Discovery
Collection
1 technique
Collection
IOCs tracked for this family
417 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information stealer first highlighted in February 2023. It collects sensitive data including credentials and financial information, which are then sold on dark web markets or Telegram channels.
Information-stealing malware that extracts passwords, stored access data, digital identities, and other sensitive information from infected devices.
A MaaS infostealer that steals browser, application, mail server, WinSCP/SFTP, Steam and other credentials, gathers system information, steals files, and can optionally function as a loader to retrieve additional payloads including RATs and ransomware.
An information stealer with dropper functionality that extracts passwords, stored access data, and digital identities from infected systems for fraud and data trading.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.