Meet Foresiet Nexus — Your smarter Threat Intel hub. See it in action — book a free demo today!
Get Started
Search

Blog categories

Weekly newsletter

No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Read about our privacy policy.

Latest from the blog

Stealc Infostealer: A Deep Dive into Its Evolution, Operations, and Threat Landscape

Posted on: 10 Dec 2025 | Author: Foresiet

Introduction

Stealc, an information-stealing malware operating as Malware-as-a-Service (MaaS), has emerged as a potent tool in the cybercriminal arsenal since its debut in early 2023. Advertised on Russian-speaking underground forums. Established stealers such as Vidar, Raccoon, Mars, and RedLine, offering customizable data exfiltration for browsers, cryptocurrency wallets, and applications. Its non-resident design minimizes footprints, enabling stealthy theft of credentials, cookies, autofill data, and files.

By December 2025, Stealc’s V2 iteration has amplified its reach through innovative distribution vectors, including 3D modeling assets and malvertising. This analysis dissects Stealc’s mechanics, campaigns, indicators of compromise (IOCs), and mitigation strategies, highlighting its role in the broader infostealer ecosystem.

Recent underground forum advertisements confirm Stealc remains actively developed and commercially available as of December 2025. A user continues to sell the latest V2 builds at $300 per month (contacts via private messages only), emphasizing its ongoing MaaS model.

Current underground forum advertisement for Stealc V2
Figure 1: Current underground forum advertisement for Stealc V2 ($300/month subscription, contacts via PM).

Just weeks ago, the same user published the v2.9.0 update, introducing restored Steam token collection without process injection, Perplexity Comet browser support, full MetaMask IndexedDB grabbing, and several dashboard cleanup features—proof the stealer is still receiving regular updates heading into 2026.

Current underground forum advertisement for Stealc V2
Figure 2: Late-2025 underground forum post detailing the v2.9.0 release, including new Steam token decryption method and Perplexity Comet support.

Executive Summary

Stealc infostealer exemplifies the commoditization of cybercrime, with over 40 C2 servers identified since launch and logs traded on platforms like Russian Market. Key evolutions include V2’s RC4 encryption and JSON-based C2 protocol, enhancing evasion. Active campaigns as of December 8, 2025, leverage Blender files on CGTrader for payload delivery, targeting creative professionals with Stealc V2 to harvest data from 23 browsers and 15 wallets. IOCs encompass hashes, URLs, and IPs; for instance, low-detection IPs linked to Stealc C2s include those in pastebin dumps (e.g., 40 IPs with VirusTotal hits under 12). Technical breakdowns reveal WinAPI abuse for data dumping, with code snippets illustrating decryption routines. Impacts span credential stuffing and ransomware precursors, affecting millions. Defenses prioritize behavioral detection and zero-trust models.

History and Development

Researchers at Foresiet have identified an individual known as Nam3L3ss on cybercrime forums, who has become a prominent figure documenting and posting data from the MOVEit breach. Rather than directly exploiting the MOVEit vulnerability, Nam3L3ss has been downloading databases exposed by the Cl0p ransomware group and other operators. They have been systematically organizing and cleaning the data for wider distribution, citing Cl0p as the primary origin for much of the obtained information.

Figure 3: Stealc logs advertised on Russian Market, bundled with credentials from high-value targets (forum screenshot).

Technical Analysis: How Stealc Works

Stealc is a C-based, non-resident stealer that injects into processes for data collection, avoiding disk writes. Upon execution:

  1. Initialization and Anti-Analysis: Resolves WinAPI dynamically via hashing to evade static detection. Checks screen resolution, processes, and debugger flags (e.g., NtGlobalFlag). Uses VEH for exception handling to decrypt payloads at runtime.
  2. Data Harvesting: Enumerates browsers (Chrome, Firefox, Edge) via BFS multi-threading. Decrypts cookies/passwords using DPAPI and AES-256-GCM. Targets:
    • 23+ browsers/extensions.
    • 15+ crypto wallets (e.g., Exodus, Atomic).
    • Apps: Discord, Telegram, Outlook.
    • Screenshots, keystrokes, files.

Example code snippet for Chrome cookie decryption (from V2 sample analysis):

Example code snippet for Chrome cookie decryption
  1. This leverages CryptUnprotectData for DPAPI and CNG for AES, bypassing App-Bound Encryption by injecting into chrome.exe with –remote-debugging-port.
  2. Exfiltration: Zips data and sends via HTTP POST to C2 (e.g., /api/v2/upload). V2 uses RC4-encrypted JSON for commands.
  3. Persistence and Evasion: No registry changes; relies on loaders like HijackLoader. Polymorphic builder alters signatures per build.

Logs format: ZIP archives with systeminfo.txt (hardware/OS details) and subfolders for browser/wallet dumps—unique for identification via tools like “What is this stealer?” repo.

Stealc V2 Evolution: Recent Updates and Admin Panel Insights

The 2023 Underground forum post introduced Stealc V2 as a premium stealer priced at $300/month, emphasizing its C++ build (~770KB), dynamic WinAPI loading, and no third-party DLLs. Features like server-side decryption for Chrome 128+ (v20 data types) and automatic MetaMask brute-forcing were highlighted early on. This confirms it’s the exact same Stealc we’ve analyzed—no new variant, just ongoing development. Fast-forward to late 2025, and V2 continues evolving with updates like v2.9.0, released recently on underground forums.

Key Updates in v2.9.0

This patch builds on V2’s core, focusing on efficiency and expanded collection:

  • Build Enhancements:
    • Restored Steam token collection: Tokens are now decrypted directly from files (no Steam process injection needed). Collects from all logged-in accounts, not just active ones.
    • Improved file transfer to the server for faster, more reliable exfiltration.
    • Runtime cleanup: Automatically removes temporary files during execution to reduce detection risks.
    • Minor code fixes for stability.
  • Database Expansions:
    • Added support for Perplexity Comet browser data harvesting.
    • Enhanced MetaMask collection: Now grabs IndexedDB for all versions, improving wallet seed recovery.
  • Panel Upgrades:
    • Server Management section: New functions to delete all logs, temporary log files, and empty logs (e.g., plain text or screenshot-only entries) to optimize storage.
    • Telegram Bot settings: Admins can choose notification types—plain text, text with screenshot, or full ZIP log file—for user alerts and chat listings.
    • Worker Panel: Added bulk upload capability, allowing workers to process multiple logs or builds at once without admin intervention.
  • Gate Improvements:
    • Enhanced file reception from builds, ensuring seamless integration with the non-resident loader.

These updates make V2 even stealthier, with server-side processing reducing client-side risks. For example, here’s a simplified C++ snippet showing the new Steam token decryption (from v2.9.0 analysis)

C++ snippet showing the new Steam token decryption

This avoids runtime injection, evading AV hooks on Steam.exe.

Inside the Stealc V2 Panel

The redesigned panel (as teased in 2023 and refined in 2025) is user-friendly, with a dark theme, 2FA, and role-based access (admin vs. worker).

Here’s how it looks based on recent samples:

  • Dashboard: Overview stats for quick insights. Shows logs from the last 7 days (e.g., 1 log), disk usage (14.9 MB used, 15 GB free), country distribution (e.g., 100% from “UN”), and totals like 1 log, 7 passwords, 2.9K cookies, and 15 wallet files. Pie charts visualize usage.
Stealc V2 Dashboard—logs count, disk stats, and country breakdown
Builder Page:

Unlimited builds per license. Lists builds with ID, name (e.g., “default”), version (2.00), password, last compile (e.g., 2025-03-29), logs count, and status (Active). Buttons for Rebuild All, Create Build, and Download.

Figure 5: Stealc V2 Builder section—manage unlimited builds directly in the panel. Note the active “default” build with password “SZn9KbZo” and recent compile date.

Logs Page:

  • Powerful search and filters. Stats show created logs (1), unique logs (100%), fully uploaded (1), total passwords (7). Filters by build, passwords, cookies, IP, markers, system, countries, wallets, dates, notes. Options for favorites, mnemonic status (decrypted seeds), and bulk actions (Delete/Download). Each log entry displays summary (browsers/wallets/icons), network (e.g., 10.0.2.2), date, note, status, and download button.
Figure 6: Stealc V2 Logs page—detailed search, filters, and log entries. See the mnemonic-marked log with Chrome/Edge/Opera icons, 2 wallets, and full upload status.

Figure 6: Stealc V2 Logs page—detailed search, filters, and log entries. See the mnemonic-marked log with Chrome/Edge/Opera icons, 2 wallets, and full upload status.

These features make Stealc V2 highly flexible, allowing operators to scale operations while minimizing exposure. Logs are processed server-side, with auto-brute for MetaMask yielding seed phrases in Telegram notifications.

This evolution ties back to the launch, where created promised “server-side archive generation” and “user-friendly panel”—proving Stealc’s consistent development.

Current Campaigns (Up to December 8, 2025)

Stealc’s distribution has diversified, evading traditional phishing:

  • Blender File Campaign (Active Nov 2025–Dec 2025): Malicious .blend files on CGTrader embed Python scripts executing Stealc V2 on open. Targets 3D artists; steals from browsers/VPNs. 6+ months active; disable auto-run in Blender.
  • YouTube Ghost Network (Ongoing 2025): 3,000+ fake accounts promote cracks/hacks (e.g., Photoshop), linking to Stealc loaders. Views: 293K+ for top lures. Shifted from Lumma post-disruption.
  • Malvertising via SVG/PowerShell (Dec 2025): “Executive Award” lures drop Stealerium (Stealc variant) via ClickFix chains. Exfils to Telegram C2.
  • Russian Forum Ties: XSS posts highlight V2’s “corrected admin panel” for targeted theft. Logs flood Russian Market, fueling credential stuffing.

Impacts: 500M+ infections globally; enables ransomware (e.g., Akira) and espionage.

Stealc campaign timeline, peaking in 2025.

Indicators of Compromise (IOCs)

Analysis reveals diverse IOCs. Example hashes (SHA256) from V2 samples:

Type

Value

Packed Sample

0b921636568ee3e1f8ce71ff9c931da5675089ba796b65a6b212440425d63c8c

Dropped Payload

dd36c7d50cb05761391a7f65932193ec847d34f8ba1bb2f2a43ecf4985d911f4

Standalone

1e09d04c793205661d88d6993cb3e0ef5e5a37a8660f504c1d36b0d8562e63a2

C2 URLs: hxxp://185.5.248[.]95/libs/mozglue.dll

IPs (low VT hits, from pastebin-like dumps): 31.57.147.77 (Stealerium C2), plus 40 others e.g., 185.5.248.95 (hits: 8/90).

YARA snippet for detection:

Monitor for systeminfo.txt in exfil zips.

Monitor for systeminfo.txt in exfil zips.

Recently Observed Stealc C2 Infrastructure (November–December 2025)

Telemetry and sinkholing efforts in the past 45 days identified the following IP addresses actively receiving Stealc exfiltrated logs. At the time of analysis, most exhibited very low detection ratios on VirusTotal (< 12/95).

These addresses are strongly recommended for network-level blocking:

176.32.34.47

176.65.132.159

176.97.113.229

178.16.52.35

185.117.72.186

185.208.159.225

196.251.107.31

199.217.99.175

198.96.94.94

91.193.19.5

91.212.166.105

103.231.73.104

104.145.210.33

104.164.55.54

107.189.17.216

130.49.216.106

107.189.20.142

144.31.3.27

144.31.90.181

144.31.3.138

149.248.77.106

167.88.165.253

166.1.209.82

173.214.162.172

173.232.146.248

147.124.215.118

203.159.90.169

45.149.154.81

45.152.162.11

50.114.113.150

79.132.141.7

78.159.156.140

80.64.19.252

80.71.227.73

84.201.14.173

88.214.50.76

87.120.126.3

89.208.105.156

91.92.240.190

The rapid rotation of these C2 endpoints highlights Stealc’s continued reliance on low-reputation and bulletproof hosting providers to maintain operational resilience. Organizations are advised to implement immediate blocking of the listed IPs at perimeter firewalls, web proxies, and DNS resolvers. Regular monitoring for outbound connections to newly registered or low-reputation IPs remains critical, as additional Stealc infrastructure is likely to surface in the coming weeks.

Mitigation and Best Practices

  • Detection: Use EDR for WinAPI abuse (T1555.003) and anomalous HTTP POSTs.
  • Prevention: Enforce MFA, browser sandboxing, and script blocking. Scan 3D assets.
  • Response: Isolate via network segmentation; hunt for DPAPI calls.

The CyberThreat Report: November 2024-Download Here

Conclusion

Stealc’s adaptability—from forum sales to Blender lures—underscores the infostealer threat’s persistence into 2025. With V2’s stealth upgrades and ecosystem ties, it drives billions in illicit gains. Proactive monitoring and layered defenses are essential to counter its file-by-file exfil and credential harvests. 

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.

Latest

From the blog

The latest industry news, interviews, technologies, and resources.

View all posts