Arkanix Stealer – A Short-Lived but Potent Infostealer
In late 2025, a new malware-as-a-service (MaaS) operation called Arkanix Stealer briefly emerged, offering cybercriminals a powerful toolkit for harvesting sensitive data. Despite lasting only a few months, its capabilities highlight the growing sophistication of infostealers and the SaaS-like models driving cybercrime.
Dual Implementation: C++ and Python
Arkanix Stealer was implemented in both C++ and Python, giving attackers flexibility:
- C++ Variant: Delivered advanced features like ChromElevator, cryptocurrency wallet theft, and anti-analysis protections using VMProtect.
- Python Variant: Distributed via PyInstaller or Nuitka, capable of dynamically modifying its configuration through remote GET requests.
Information Theft Capabilities
The stealer targeted a wide range of data sources:
- System Data: CPU, GPU, RAM, OS, screen, keyboard, time zone.
- Applications: Antivirus, VPN clients (Mullvad, NordVPN, ExpressVPN, ProtonVPN).
- Browsers: 22 browsers targeted for history, autofill, passwords, cookies, and OAuth2 tokens.
- Messaging Apps: Telegram messages and Discord credentials.
- Files: Exfiltrated from predefined directories, packed into ZIP archives, and sent to C&C servers.
Self-Spreading via Discord
One of the standout features was its self-spreading mechanism:
- Leveraged the Discord API to collect friends and channels.
- Sent pre-configured messages to victims’ contacts, propagating infection.
Modular Expansion
Arkanix Stealer could fetch additional modules from its C&C server:
- Chrome Grabber
- Wallet Patcher
- Extra Collector
- Startup Persistence Script
Business Model: MaaS Infrastructure
The campaign mirrored legitimate SaaS operations:
- Control Panel: Allowed payload configuration and victim monitoring.
- Discord Channel: Provided customer support and community interaction.
- Referral Program: Incentivized new customers.
Campaign Timeline
- October 2025: Advertised in underground forums.
- December 2025: Control panel and Discord channel taken down, signaling the end of operations.
Kaspersky concluded that Arkanix Stealer was a one-shot campaign aimed at quick financial gains rather than long-term persistence.
Indicators of Compromise (IOCs) extracted from Kaspersky’s analysis
File Hashes
752e3eb5a9c295ee285205fb39b67fc4c1e4be64f80bc019651f84ef852dfa6ca8eeda4ae7db3357ed2ee0d94b963effc0c04df98b7d1ca9e8c08dd1ffbdd16b88487ab7a666081721e1dd1999fb9fb2d42ba771541893eb047a0e835bd4f84e5f71b83ca752cb128b67dbb1832205a4208fa7e01f72a50334f3d7607f6b82bfe27edcdeb44522a9036f5e4cd23f1f0cea50282fa1269836a7e87eddb10f95f7643696a052ea1963e24cfb0531169477f5765930205719c2ac9d2e26c3b03d8d576de7a075637122f47d02d4288e3dd67888eb4f51413d9382e2b992b667d9f53283f8c54a3ddf0bc0d4111cc1f950c0
Domains & IPs
arkanix[.]pw→ 195.246.231[.]60arkanix[.]ru→ 172.67.186[.]193
Notable C2 Endpoints
hxxps://arkanix[.]pw/api/session/createhxxps://arkanix[.]pw/stealer.pyhxxps://arkanix[.]pw/api/features/{payload_id}hxxps://arkanix[.]pw/upload_dropper.py/delivery(used for exfiltrating Telegram data)/api/chrome-grabber-template/{payload_id}/api/wallet-patcher/{payload_id}/api/extra-collector/{payload_id}/hvnc(HVNC module, placed in Startup folder)
Detection Names (Kaspersky)
Trojan-PSW.Win64.Coins.*HEUR:Trojan-PSW.Multi.Disco.genTrojan.Python.Agent.*
Conclusion
Arkanix Stealer may have been short-lived, but its breadth of capabilities and SaaS-like infrastructure demonstrate how cybercriminals continue to innovate. Monitoring such campaigns is crucial, as they often serve as prototypes for future, more persistent threats.
Follow Us On – X.com, Telegram, LinkedIN, Discord Server,
For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter
