OnyxC2 MaaS Stealer Targets 210+ Apps With HVNC and DLL Sideloading
Researchers reported that OnyxC2 is being sold on cybercrime forums as a malware-as-a-service infostealer with subscription tiers that include a base offering, an HVNC-enabled package, and even source-code access. The platform is designed for large-scale credential and data theft across more than 210 applications, including browsers, browser extensions, password managers, cryptocurrency wallets, FTP clients, email clients, VPN tools, messaging apps, and remote access software, expanding its reach from consumer systems into enterprise environments.
Analysis found that OnyxC2 pairs data theft with deeper post-compromise capabilities, including HVNC, LSASS dumping, RunPE, reverse SOCKS5 proxying, keylogging, screenshot capture, reverse shell access, Tor tunneling, persistence features, and AES-256-encrypted build downloads. The malware is delivered through DLL sideloading with a legitimate signed application and a disguised malicious DLL, while keeping its payload encrypted until runtime to reduce antivirus detection; researchers said initial delivery archives appeared clean on VirusTotal, and the service also offers lure installers, panel access, customer support, and even refunds for detected builds, lowering the barrier for less-skilled criminals to run long-term credential theft and session hijacking campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
BlackFog analyzes OnyxC2 MaaS stealer and publishes technical details
BlackFog analyzed OnyxC2 as a malware-as-a-service infostealer marketed on cybercrime forums, documenting its pricing tiers, support model, DLL sideloading delivery chain, and capabilities including credential theft, HVNC, LSASS dumping, reverse SOCKS5 proxying, and other remote-access features. The analysis also stated that OnyxC2 targets more than 210 applications, spanning browsers, password managers, cryptocurrency wallets, FTP clients, email clients, VPN tools, and related software.
BlackFog reports OnyxC2 samples remained unflagged on VirusTotal
BlackFog reported that both delivery archives were initially clean on VirusTotal and that the malicious component remained unflagged as of 2026-05-30, underscoring the malware's evasion effectiveness. The payload was described as encrypted until runtime and delivered via DLL sideloading with a legitimately signed application.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications
cybersecuritynews.com
Open sourceOnyxC2 stealer sold as a service targets over 210 applications | brief | SC Media
scworld.com
Open sourceOnyxC2 Malware-as-a-Service Offers Enterprise-Grade Data Theft - Security Affairs
securityaffairs.com
Open sourceOnyxC2 Malware-as-a-Service Offers Enterprise-Grade Data Theft - Security Affairs
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Infostealer Malware Activity: Arkanix MaaS Stealer and Broader Distribution Trends
**Arkanix Stealer** emerged as a previously undocumented infostealer offered under a **malware-as-a-service (MaaS)** model, promoted via dark web forum advertisements that directed buyers to a Discord server for coordination. Analysis identified multiple implants, including a native **C++** variant with broad data-theft capabilities (e.g., system profiling and **cryptocurrency wallet** theft) and a **Python** implementation that can dynamically modify its configuration and is often packed to hinder analysis. The toolset also incorporated *ChromElevator*, a publicly available browser post-exploitation utility, and detections were mapped to families such as `Trojan-PSW.Win64.Coins.*` and `Trojan.Python.Agent.*`; the associated affiliate/referral program appeared to have been taken down, suggesting a short-lived operation. Separately, January 2026 telemetry and case analysis on infostealer distribution highlighted ongoing, high-volume delivery via **crack/keygen camouflage** and **SEO poisoning**, with prominent families including **LummaC2**, **Vidar**, and **ACRStealer**. The reporting emphasized automated collection and analysis pipelines that extract C2/IOC data and support near-real-time blocking via an indicator service, underscoring that infostealer operations continue to rely on scalable distribution and obfuscation techniques even as individual MaaS offerings like Arkanix may be transient.
Mar 21, 2026
Malware Campaigns Using Fake Installers and Multi-Stage Loaders to Steal Credentials and Enable Remote Control
Multiple active malware campaigns are using **trojanized installers** and social engineering—rather than software vulnerabilities—to gain initial access and then deploy credential theft or remote-control capabilities. Intel 471 reported a new Android banking trojan dubbed **FvncBot** targeting Polish mobile banking users by impersonating an *mBank* “security” app; the dropper prompts installation of an additional “Play” component and then abuses **Android Accessibility Services** for persistence and control, enabling **keylogging**, **screen capture**, and hidden **VNC-style remote interaction** to facilitate fraudulent transactions. Separately, Cyderes described an ongoing, large-scale piracy-channel campaign where cracked game installers hide behind a legitimate-looking **Ren’Py** launcher tracked as **RenEngine**, which decrypts and launches subsequent stages and introduces **HijackLoader** via techniques including **DLL side-loading** and module stomping; observed final payloads include **ACR Stealer** (and in some cases **Vidar**) to exfiltrate browser credentials, cookies, and crypto wallet data. Cybereason detailed a different installer-themed operation in Chinese-speaking communities delivering **ValleyRat/Winos 4.0** attributed to **Silver Fox APT**, notable for using the rare **“PoolParty Variant 7”** process injection (abusing Windows I/O completion ports and `ZwSetIoCompletion()` after duplicating a handle from `Explorer.exe`) plus a strengthened watchdog mechanism via injection into `Explorer.exe` and `UserAccountBroker.exe` to maintain persistence.
Mar 21, 2026
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
Mar 21, 2026