• A new infostealer named ‘Arkanix Stealer’ operated as a malware-as-a-service (MaaS) enterprise in a one-shot campaign, Kaspersky says.Implemented in both C++ and Python, the malware emerged in October 2025, when its developer started advertising it in underground forum posts, but likely ceased operations in December, when its control panel and Discord channel disappeared.While short-lived, Arkanix Stealer did provide miscreants with broad information-stealing capabilities, collecting system and user information, application details, browser data, Telegram and Discord data, VPN information, and stealing files from specific directories.As part of the MaaS, users were provided with access to a control panel allowing them to configure payloads and access statistics.Users were provided with a browser post-exploitation tool named ChromElevator, delivered via a native C++ version of the malware that could also harvest cryptocurrency wallet data.The Python variant of the stealer,Kaspersky says, was deployed via a Python script, often bundled with PyInstaller or Nuitka, and could dynamically modify its configuration by making GET requests to a remote server.Advertisement. • Scroll to continue reading.Arkanix Stealer could collect broad system information, including CPU, GPU, RAM, OS, screen, keyboard, and time zone data, along with details on the installed software, including antivirus and VPN applications.It could also target 22 browsers to harvest information such as history, autofill information, passwords, cookies, and 0Auth2 data, as well as Telegram messages and Discord credentials.The analyzed stealer sample also contained a self-spreading feature, acquiring a list of the victim’s Discord friends and channels via the Discord API, and sending a configured message to them.Kaspersky also observed the malware collecting credentials from known VPN clients, such as Mullvad VPN, NordVPN, ExpressVPN, and ProtonVPN.Using a pre-defined set of paths, the malware was seen exfiltrat

Article Summaries:

  • Kaspersky identified a new infostealer called Arkanix Stealer that appeared in October 2025 as a malware‑as‑a‑service offering. The malware, written in C++ and Python, enabled attackers to harvest extensive system data, browser histories, Telegram and Discord credentials, VPN information, and selected user files. A native C++ variant included a post‑exploitation tool, ChromElevator, and anti‑analysis features, while the Python version could be deployed via PyInstaller or Nuitka and dynamically reconfigure itself through remote GET requests. Users accessed a control panel and a Discord channel for configuration and support, with a referral program to attract customers. The operation was short‑lived; the panel and Discord channel vanished in December 2025, and no further activity has been observed.

Sources: