In an unusual twist, security researchers managed to turn the tables on cybercriminals behind StealC, a widely used information-stealing malware, by exploiting a flaw in the criminals\u2019 own control panel.<\/p>\n
Researchers at CyberArk discovered a cross-site scripting (XSS) vulnerability in StealC\u2019s web-based control panel, a tool used by malware operators to manage campaigns and view stolen data. The flaw allowed researchers to spy on active malware operators, steal session cookies, and remotely hijack active panel sessions.<\/p>\n
Popular Malware With A Critical Weakness<\/strong><\/p>\n StealC is an infostealer malware that first appeared in early 2023 and is sold under a Malware-as-a-Service (MaaS) model on underground cybercrime forums. Customers pay to use it to steal passwords, browser cookies, and other sensitive information from infected computers.<\/p>\n In 2025, the malware\u2019s developers released StealC version 2.0, which added features such as Telegram alerts and a flexible malware builder. Around the same time, the source code for StealC\u2019s web control panel was leaked online, allowing security researchers to conduct a detailed review of how the operation worked behind the scenes.<\/p>\n While analysing the leaked code, CyberArk researchers found a simple but powerful XSS vulnerability in the StealC control panel. Despite running a business built around large-scale cookie theft, the StealC panel failed to protect its own session cookies using basic security measures such as HttpOnly flags, allowing its own session cookies to be stolen.<\/p>\n CyberArk chose not to disclose the technical details of the flaw, stating that this would prevent StealC operators from quickly identifying and fixing the issue.<\/p>\n Tracking A Malware Operator<\/strong><\/p>\n The research zeroed in on a StealC customer, dubbed \u201cYouTubeTA\u201d by researchers, who ran extensive malware campaigns throughout 2025.<\/p>\n According to panel data, this single operator collected more than 5,000 victim logs, stealing approximately 390,000 passwords and over 30 million browser cookies. While many of the cookies were non-sensitive, the scale of the operation was significant.<\/p>\n Screenshots captured by the malware revealed how victims were compromised. In many cases, users were searching YouTube for cracked versions of Adobe Photoshop and Adobe After Effects. The malicious malware links were often posted on older, legitimate-looking YouTube channels with thousands of subscribers, suggesting the attacker had hijacked previously compromised accounts to spread the malware.<\/p>\n