• Introduction In October 2025, we discovered a series of forum posts advertising a previously unknown stealer, dubbed “Arkanix Stealer” by its authors. • It operated under a MaaS (malware-as-a-service) model, providing users not only with the implant but also with access to a control panel featuring configurable payloads and statistics. • The set of implants included a publicly available browser post-exploitation tool known as ChromElevator, which was delivered by a native C++ version of the stealer. • This version featured a wide range of capabilities, from collecting system information to stealing cryptocurrency wallet data. • Alongside that, we have also discovered Python implementation of the stealer capable of dynamically modifying its configuration. • The Python version was often packed, thus giving the adversary multiple methods for distributing their malware.

Article Summaries:

  • In October 2025, security researchers uncovered a new malware-as-a-service operation called Arkanix Stealer. The campaign offered both a native C++ implant and a Python version that could be re‑configured on the fly. Users accessed a web‑based control panel to deploy payloads and view statistics, and the C++ variant included the ChromElevator browser post‑exploitation tool. Initial infections were almost certainly phishing‑based, with loader scripts such as discord_nitro_checker.py and TikTokAccountBotter.exe. The Python loader installs dependencies, registers the host, and downloads the stealer payload. Kaspersky products flag it as Trojan‑PSW.Win64.Coins. and related signatures. The affiliate program appears to have been shut down, indicating a short‑lived operation.

Sources: