StealC
StealC is a Windows information-stealing malware sold under a malware-as-a-service model since early 2023. The reporting describes it as a commodity infostealer frequently distributed alongside or through other crimeware ecosystems and loaders, including Amadey, ClearFake, MintsLoader, GoLoader, and other delivery chains. It is repeatedly grouped with other MaaS stealers such as Lumma, Vidar, RedLine, and Rhadamanthys, and one source specifically notes it was advertised by a developer using the name "Plymouth."
Observed targeting and collection focus include browser credentials and cookies, browser extensions, cryptocurrency wallets, messaging applications, cloud credentials, email and financial tokens, and other application secrets. Multiple reports describe StealC campaigns stealing browser data, wallet data, Telegram sessions, Discord tokens, Steam credentials, FileZilla and WinSCP sessions, Outlook PST/OST files, VPN configurations, screenshots, and selected local files.
The content shows StealC being delivered through several infection vectors: phishing and loader chains, compromised websites using ClickFix/FileFix-style social engineering, fake browser update or verification lures, DLL sideloading with signed VMware and Microsoft Edge binaries, and trojanized software or game binaries. ClearFake campaigns delivered StealC to Windows systems from compromised websites. MintsLoader delivered StealC to Windows endpoints targeting industrial, legal, and energy organizations in the US and Europe. Amadey campaigns distributed StealC among many other payloads. GoLoader delivered StealC via DLL sideloading of signed VMware vmtoolsd.exe and Microsoft Edge binaries. One active FileFix campaign delivered a loader that executed StealC. Another sample was packed inside a legitimate King game (Candy Crush Saga) binary.
The content includes detailed reporting on StealC v2. A March 2026 sample disguised as a King game executable communicated with C2 at joscramp[.]top via HTTP POST to /410b5129171f10ea.php using JSON registration data containing a hardware ID and build value 410b5129171f10ea. That sample used a custom packer with an encrypted overlay, RC4-based decryption, sparse real imports, anti-analysis checks, forged compile timestamping, RC4-encrypted configuration strings, dynamic API resolution, sandbox evasion, and CIS-language checks. Sandbox reporting noted it read HKLM\SYSTEM\ControlSet001\Control\NLS\Language and was assessed to avoid execution on CIS-region language systems; it also triggered WerFault.exe in sandbox environments as an anti-analysis measure. The same joscramp[.]top gate path was reported in both 2023 and 2026, indicating infrastructure reuse.
Additional infrastructure and clustering details in the content include StealC C2 or hosting on joscramp[.]top at 34.41.139.193, a StealC C2 panel at 80.97.160.190, a StealC C2 at 217.156.66.135 with hostname goodwin.unison-uwe.org.uk, and a StealC C2 over HTTP on 85.137.253[.]36 within Shinomiya Hosting’s 85.137.253.0/24 subnet. One report states that subnet hosted at least four active malware C2 operations including XWorm, two Vidar stealers, and a StealC stealer. Another report linked a StealC sample to import hash 21829bcb83e2224c2104cf7cefe96c53 shared by 19 MalwareBazaar samples across StealC, RedLine Stealer, and Rhadamanthys dating back to March 2023.
The content also notes ecosystem developments affecting StealC operators. In September 2024, researchers observed StealC developers claiming and then implementing a bypass for Google Chrome App-Bound Encryption, with reporting stating Vidar and StealC implemented bypasses in the same week. Separately, after a spring 2025 code leak, researchers found a cross-site scripting vulnerability in the StealC web panel, described as a significant setback for the operation.
Overall, the reporting consistently characterizes StealC as an active, financially motivated commodity infostealer in the MaaS ecosystem, commonly delivered by third-party loaders and campaigns, focused on theft of browser, wallet, messaging, cloud, and related credential material from Windows victims.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Developer tools: n8n workflows, CCNA labs, 7-Zip CVE-2025-0411 PoC, Cursor.so, Sora AI
Groups observed using it
14 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Amadey is a modular Windows botnet sold as MaaS by author "InCrease" on XSS/Exploit forums, active since 2018. It commonly drops Lumma, StealC, RedLine, CoinMiners, and RATs.
If allowed to continue running beyond this stage, researchers have reported additional payloads including StealC and ArechClient2.
The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.
The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.
The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.
EncryptHub lured targets into installing AnyDesk, TeamViewer, and other remote monitoring and management software for lateral movement before utilizing PowerShell scripts that deliver the Rhadamanthys, Stealc, and Fickle Stealer infomation-stealing payloads.
...has occasionally delivered other payloads including StealC and Lumma Stealer (information stealers with similar functionality to Rhadamanthys).
Others include StealC, RedLine, Odebug and other Phemedrone variants, and NodeJS loaders and downloaders.
"In the case of StealC... StealC is an infostealer malware that has been circulating since early 2023, sold under a Malware-as-a-Service (MaaS) model and marketed to threat actors seeking to steal cookies, passwords, and other sensitive data from infected computers."
Confirmed TA582 payloads sharing this infrastructure: GhostWeaver/Pantera, MintsLoader, trojanized BOINC, CleanUpLoader, and StealC (per Recorded Future).
Confirmed TA582 payloads sharing this infrastructure: GhostWeaver/Pantera, MintsLoader, trojanized BOINC, CleanUpLoader, and StealC (per Recorded Future).
"Crazy Evil Gang Targets Crypto with StealC..." and "MintsLoader Delivers StealC Malware..."
Hackers used a fake Oura MCP server to trick users into downloading malware that installs the StealC info-stealer... The trojanized version of the Oura MCP server delivers the StealC infostealer, targeting developer credentials, browser passwords, and cryptocurrency wallets.
These infections often progress to the deployment of Stealc and SectopRAT.
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
6 techniquesThe operations leverage agile evasion tactics, including top-level domain rotation, subdomain chaining... These attackers registered the same domain concept across multiple top-level domains, rotating as each is blocked.
Resource Development Acquire Infrastructure: Server T1583.004 BPH network via lir-ge-fast-1-MNT shell companies
victims searching for cracked versions of Adobe Photoshop and After Effects on YouTube, suggesting that YouTubeTA compromised legitimate YouTube channels with established subscriber bases to distribute StealC
The operator’s panel configuration included specific markers for studio.youtube.com credentials, indicating a strategy to hijack content creator accounts and expand malware distribution networks.
MITRE ATT&CK Mapping ... Resource Development Obtain Capabilities: Malware T1588.001 StealC v2 MaaS purchase/affiliation
The malware is distributed using the strategy of making the distribution posts appear at the top of search engine results (SEO poisoning).
Initial Access
2 techniquesClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique.
Primarily via phishing emails, StealC malware uses fake CAPTCHA verification prompts and PowerShell scripts to bypass legitimate checks and steal information from the user.
Execution
5 techniquesHarden endpoints with application control for script interpreters and common living-off-the-land tools. Block or alert when browsers or explorer spawns cmd or PowerShell.
Once executed, the malware will launch PowerShell scripts that harvest credentials and other information from the affected user.
researchers discovered a cross-site scripting (XSS) vulnerability in its web panel following a code leak in spring 2025. By exploiting this flaw, CyberArk Labs collected system fingerprints, monitored active sessions, and captured authentication cookies
Dynamic API resolution GetProcAddress with obfuscated stack strings for sensitive APIs T1106
The attack flow involves a malicious JavaScript that redirects victims to a file-hosting page, which then delivers the StealC payload within a password-protected ZIP archive.
Privilege Escalation
1 techniqueStealth
8 techniquesMITRE ATT&CK Mapping Technique ID Usage Obfuscated Files or Information T1027 Custom 3-layer encryption, fake Raft types, English word obfuscation
MITRE ATT&CK Mapping Technique ID Usage Masquerading: Match Legitimate Name or Location T1036.005 intl.dll impersonating GNU libintl
The dropper uses classic process hollowing (T1055.012) to execute the decompressed Stealc binary inside a legitimate Windows process.
MITRE ATT&CK Mapping ... Defense Evasion Indicator Removal: File Deletion T1070.004 StealC self-terminates after exfiltration
MITRE ATT&CK Mapping ... Defense Evasion Deobfuscate/Decode Files T1140 Runtime RC4 decryption of config, strings, and overlay payload
MITRE ATT&CK Mapping ... Defense Evasion Virtualization/Sandbox Evasion T1497 IsDebuggerPresent, GetTickCount/QueryPerformanceCounter timing checks
Processor feature check IsProcessorFeaturePresent -- verifies AES-NI/SSE4.2, may detect VMs T1497.001
MITRE ATT&CK Mapping Technique ID Usage Reflective Code Loading T1620 Go-based reflective PE loader (both v1 and v2)
Credential Access
3 techniquescaptured authentication cookies from the infrastructure designed to steal them... operators specializing in cookie theft failed to implement basic security features, such as the httpOnly flag, that would have prevented cookie hijacking via XSS attacks
MITRE ATT&CK Mapping ... Credential Access Credentials from Password Stores T1555 Browser credential database extraction
MITRE ATT&CK Mapping ... Credential Access Credentials from Web Browsers T1555.003 Chrome/Firefox/Edge password and cookie theft
Discovery
4 techniquesMITRE ATT&CK Mapping ... Discovery System Information Discovery T1082 Hostname, username, OS version, installed software enumeration
MITRE ATT&CK Mapping ... Defense Evasion Virtualization/Sandbox Evasion T1497 IsDebuggerPresent, GetTickCount/QueryPerformanceCounter timing checks
Processor feature check IsProcessorFeaturePresent -- verifies AES-NI/SSE4.2, may detect VMs T1497.001
The system language discovery is a common CIS-region malware behavior: check the victim's language settings, and if the system is configured for Russian, Ukrainian, Belarusian, or another CIS-region language, terminate execution.
Collection
3 techniquesMITRE ATT&CK Mapping ... Collection Data from Local System T1005 File grabber, wallet data, application configs
MITRE ATT&CK Mapping ... Collection Screen Capture T1113 Multi-monitor screenshot capture
MITRE ATT&CK Mapping ... Collection Clipboard Data T1115 Clipboard monitoring for crypto addresses
Command and Control
4 techniquesWhen @Fact_Finder03 flagged 158.94.210[.]91 as a C2 panel... The /24 subnet surrounding that IP hosts 67 distinct command-and-control operations spanning 16 malware families.
C2 COMMUNICATION: HTTP POST to /410b5129171f10ea.php (RC4-encrypted body)
By hiding payloads inside images fetched from Bitbucket and triggering local execution through File Explorer, it slips past filters that expect obvious downloads or Run dialog abuse... Watch for image downloads followed by process creation or archive writes.
Exfiltration: HTTP POST to C2 gate... The body will be RC4-encrypted, appearing as binary data in a application/x-www-form-urlencoded content type.
Exfiltration
1 techniqueOther
1 techniqueIOCs tracked for this family
368 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
154 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of the known stealers that the binder is capable of packaging; no direct use in the described campaign is detailed beyond that reference.
Referenced as an infostealer emblematic of high-volume but technically simple cybercrime.
Referenced as a commodity stealer family that adopted Restart Manager usage for handling locked files.
StealC is an information stealer used as a follow-on payload in the campaign. It is hosted in encrypted form in attacker-controlled staging repositories and is decrypted and loaded directly into memory by SmartLoader to harvest sensitive data from compromised systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.