Skip to main content
Mallory
Back to malware
Malware

OnyxC2

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence2

The package also ships with ready-made lure installers: FinePrint, SystemSettings, a fake Windows update package, and Fling-Standalone for gaming audiences... The combination of a 210-application target list, verified evasion against current antivirus engines, and persistent access turns a single phishing click into standing visibility into someone’s entire working life.

Execution

1 technique
T1059Command and Scripting InterpreterEvidence2

It includes... a reverse shell over HTTP...

Privilege Escalation

1 technique
T1055Process InjectionEvidence2

It includes HVNC over a web browser, LSASS memory dumping, RunPE execution both in memory and on disk...

Stealth

4 techniques
T1027Obfuscated Files or InformationEvidence1

The payload stays encrypted until runtime, so there’s nothing to detect on disk before execution begins.

T1036MasqueradingEvidence1

Inside the build is a legitimate application carrying a valid Authenticode signature... Paired with it is a DLL disguised as an NVIDIA graphics library... The package also ships with ready-made lure installers: FinePrint, SystemSettings, a fake Windows update package, and Fling-Standalone for gaming audiences.

T1055Process InjectionEvidence2

It includes HVNC over a web browser, LSASS memory dumping, RunPE execution both in memory and on disk...

T1140Deobfuscate/Decode Files or InformationEvidence1

The payload stays encrypted until runtime, so there’s nothing to detect on disk before execution begins.

Credential Access

4 techniques
T1003.001LSASS MemoryEvidence2

It includes HVNC over a web browser, LSASS memory dumping, RunPE execution both in memory and on disk...

T1056.001KeyloggingEvidence2

It includes HVNC over a web browser... screenshot capture, a keylogger, a file manager...

T1539Steal Web Session CookieEvidence2

One infected host visible in the operator panel had already handed over... 4,717 cookies... 'Stolen session cookies bypass a fresh login...'

T1555Credentials from Password StoresEvidence2

The target list covers... 5 password managers... 'A stealer that scrapes password managers and 2FA extensions alongside saved logins...'

Lateral Movement

1 technique
T1021.005VNCEvidence1

It includes HVNC over a web browser... With HVNC, the operator inherits the victim’s authenticated browser outright.

Collection

2 techniques
T1056.001KeyloggingEvidence2

It includes HVNC over a web browser... screenshot capture, a keylogger, a file manager...

T1113Screen CaptureEvidence2

It includes HVNC over a web browser... screenshot capture, a keylogger...

Command and Control

4 techniques
T1090ProxyEvidence1

It includes ... a reverse SOCKS5 proxy... and a built-in Tor tunnel...

T1090.001Internal ProxyEvidence1

It includes HVNC over a web browser, LSASS memory dumping, RunPE execution both in memory and on disk, a reverse SOCKS5 proxy...

T1090.003Multi-hop ProxyEvidence1

It includes... a built-in Tor tunnel...

T1219Remote Access ToolsEvidence1

The remote access toolkit bundled with the stealer goes well beyond credential harvesting. It includes HVNC over a web browser...

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
security affairsNews
Jun 11, 2026
OnyxC2 Malware-as-a-Service Offers Enterprise-Grade Data Theft - Security Affairs

Malware-as-a-Service infostealer sold by subscription that steals credentials, cookies, autofill data, payment cards, cryptocurrency wallets, and data from browsers, extensions, password managers, FTP, email, VPN, messaging, and other applications. It also includes remote access capabilities such as HVNC, LSASS dumping, RunPE execution, reverse SOCKS5 proxy, screenshot capture, keylogging, file management, reverse shell over HTTP, Tor tunneling, persistence, and AES-256-encrypted payload delivery using DLL sideloading.

Read more
security affairsNews
Jun 11, 2026
OnyxC2 Malware-as-a-Service Offers Enterprise-Grade Data Theft - Security Affairs

Malware-as-a-Service infostealer sold by subscription that targets browsers, extensions, password managers, cryptocurrency wallets, FTP and email clients, VPN and messaging apps, and includes remote access capabilities such as HVNC, keylogging, screenshot capture, reverse shell, SOCKS5 proxy, LSASS dumping, and persistence. It uses DLL sideloading with encrypted payloads and lure installers to evade detection and maintain access.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.