An enhanced version of the StealC infostealer has been found in the wild, featuring a slew of upgrades that improve its stealth, payload control, and data exfiltration capabilities.
Dubbed StealC V2, this latest variant shows how malware authors are rapidly evolving commodity stealers into sophisticated, modular tools that are able to evade modern detection techniques.
Researchers from Zscaler ThreatLabz identified and analyzed multiple recent samples of StealC V2, and discoverd that it has adopted RC4 encryption, PowerShell-based execution, and a redesigned command-and-control (C2) protocol.
Also, this scourge now features a modular control panel that allows bad actors to customize the malware’s behavior—choosing which payloads to deploy, how to exfiltrate data, and under what conditions to terminate activity.
More Than an Infostealer
First seen in early 2023, StealC has evolved to keep pace with cybersecurity defenses. V2 features changes that blur the line between commodity stealer and purpose-built espionage tool.
Among the most significant changes is the use of RC4 encryption to protect C2 traffic, replacing older, plaintext methods. This adds a layer of operational security, making it harder for defenders to inspect network traffic and pinpoint malicious behavior.
Zscaler also saw new anti-analysis features such as debugger detection, environment fingerprinting, and self-termination if the malware runs on systems using Russian or CIS-region language settings.
Modular Payloads and Dynamic Control
At the heart of StealC V2’s upgrade is its rule-based payload delivery system, controlled by a modular PHP-based control panel. This interface gives attackers flexibility to:
- Push different payloads based on target criteria
- Use MSI, PowerShell, or script-based execution paths
- Exfiltrate browser credentials, cookies, and crypto wallet data
- Monitor infection success rates and adjust in real time
It also includes time-based self-destruction features, ensuring that samples expire if not used within a specific window. This is likely a trick designed to frustrate forensic analysis.
Command-and-Control Overhaul
StealC V2 has an entirely new C2 communication protocol, using HTTP port 80 and RC4-encrypted messages. It encrypts all payload instructions and stolen data before exfiltration, and adds status updates such as “error|0” or “success|cookie”—indicators that enable malefactors to hone their delivery campaigns.
Researchers also discussed the malware’s ability to reconnect and reattempt delivery in the event of an initial failure, suggesting improved resilience.
The Implications for Defenders
While StealC started off as your average infostealer, its evolution is part of a greater trend seen across the malware-as-a-service (MaaS) ecosystem, which is that malicious tools are becoming more adaptable, cunning, and easy to control through.
Zscaler recommends defenders take several actions. These include:
- Inspect encrypted traffic (TLS/SSL inspection) to detect hidden C2 activity
- Deploy behavior-based detection tools that monitor for abnormal MSI or PowerShell execution
- Segment networks and enforce least privilege access to contain infections
- Stay updated on threat intelligence surrounding malware families like StealC, which evolve rapidly
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.