A brand new infostealer named ‘Arkanix Stealer’ operated as a malware-as-a-service (MaaS) enterprise in a one-shot marketing campaign, Kaspersky says.
Carried out in each C++ and Python, the malware emerged in October 2025, when its developer began promoting it in underground discussion board posts, however seemingly ceased operations in December, when its management panel and Discord channel disappeared.
Whereas short-lived, Arkanix Stealer did present miscreants with broad information-stealing capabilities, accumulating system and person data, software particulars, browser information, Telegram and Discord information, VPN data, and stealing information from particular directories.
As a part of the MaaS, customers have been supplied with entry to a management panel permitting them to configure payloads and entry statistics.
Customers have been supplied with a browser post-exploitation device named ChromElevator, delivered through a local C++ model of the malware that might additionally harvest cryptocurrency pockets information.
The Python variant of the stealer, Kaspersky says, was deployed through a Python script, typically bundled with PyInstaller or Nuitka, and will dynamically modify its configuration by making GET requests to a distant server.
Arkanix Stealer may gather broad system data, together with CPU, GPU, RAM, OS, display, keyboard, and time zone information, together with particulars on the put in software program, together with antivirus and VPN functions.
It may additionally goal 22 browsers to reap data corresponding to historical past, autofill data, passwords, cookies, and 0Auth2 information, in addition to Telegram messages and Discord credentials.
The analyzed stealer pattern additionally contained a self-spreading function, buying a listing of the sufferer’s Discord pals and channels through the Discord API, and sending a configured message to them.
Kaspersky additionally noticed the malware accumulating credentials from recognized VPN shoppers, corresponding to Mullvad VPN, NordVPN, ExpressVPN, and ProtonVPN.
Utilizing a pre-defined set of paths, the malware was seen exfiltrating information from a number of directories related to the present person, packing them in a ZIP archive, and sending them to the command-and-control (C&C) server.
The malware may additionally fetch extra modules from the C&C to increase its capabilities. These modules embody a Chrome grabber, a pockets patcher, an additional collector, and a Python script positioned within the startup folder to be executed at system boot.
The native variant makes use of VMProtect, with out code virtualization, implements anti-analysis options, collects RDP connection particulars, targets gaming information and shoppers for credential theft, captures screenshots, and exfiltrates browser information.
Kaspersky recognized two servers used to host the stealer panel and monitor victims, each secured through a sign-in web page. The malware’s developer additionally maintained a Discord channel to work together with customers and applied a referral program to draw clients.
“This marketing campaign tends to be extra of a one-shot marketing campaign for fast monetary positive factors somewhat than a long-running an infection. The panel and the Discord chat have been taken down round December 2025, leaving no message or traces of additional growth or a resurgence,” Kaspersky notes.
Associated: ‘SolyxImmortal’ Data Stealer Emerges
Associated: Infostealer Malware Delivered in EmEditor Provide Chain Assault
Associated: New ‘Sandworm_Mode’ Provide Chain Assault Hits NPM
Associated: New Keenadu Android Malware Discovered on Hundreds of Units
