StealC V2 enhances information stealing, introduces RC4 encryption, and provides a new control panel for more targeted payloads.
StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software. Additional features include multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials.
This blog post focuses on the recent changes in StealC V2, describing the improvements in payload delivery, encryption, control panel functionality, and the updated communication protocol.
Key Takeaways
A technical analysis of how a malware campaign using a game cheat lure leverages Node.js to distribute XMRig, Lumma and Phemedrone Stealer.
A major company made a staggering $75 million ransomware payment to hackers earlier this year, according to cybersecurity vendor Zscaler.
Zscaler made the claim in a Tuesday report examining the latest trends in ransomware attacks, which continue to ensnare companies, hospitals, and schools across the country.
A couple months ago, my colleague Winston Ho and I chained a series of unfortunate bugs into a zero-interaction local privilege escalation in Zscaler Client Connector. This was an interesting journey into Windows RPC caller validation and bypassing several checks, including Authenticode verification. Check out the original Medium blogpost for Winston’s own ZSATrayManager Arbitrary File Deletion (CVE-2023-41969)!
Beginning in March of 2024, Zscaler ThreatLabz observed a threat actor weaponizing a cluster of domains masquerading as legitimate IP scanner software sites to distribute a previously unseen backdoor. The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged GoogleAds to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites.
The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions. We named this backdoor “MadMxShell” for its use of DNS MX queries for C2 communication and its very short interval between C2 requests.
ThreatLabz created an IDA plugin to automate the deobfuscation of Pikabot’s strings.
Threat actors are creating and using fake Skype, Zoom, and Google Meet pages to spread RATs.
A comprehensive exploration of DuckTail's sophisticated infrastructure and insights gained from months of monitoring.
ThreatLabz observed a new campaign targeting a Government organization in which the threat actors utilized a new Command & Control (C2) framework named Havoc
ThreatLabz has discovered, hiding in app stores, a PHP variant of the Ducktail infostealer used to hijack Facebook Business accounts.
A ThreatLabz technical analysis of the latest variant of proxy-based AiTM attacks that are phishing enterprise users for their Microsoft credentials.
Raccoon is a malware family that has been sold as malware-as-a-service on underground forums since early 2019. In early July 2022, a new variant of this malware was released. The new variant, popularly known as Raccoon Stealer v2, is written in C unlike previous versions which were mainly written in C++.
Joker, Facestealers and Banker swarming Google Play store
The Lyceum APT group is targeting Middle East organizations with DNS hijacking attack using a new .NET-based malware.
Recently, the Zscaler ThreatLabZ team came across multiple fake Counter-Strike: Global Offensive (CS:GO) skin websites aimed at stealing Steam credentilsa.
