A new analysis by researchers at CyberArk has detailed a significant research effort revealing operational details of a StealC malware operator by exploiting a vulnerability in the malware's leaked web panel. The recent findings demonstrate how poor security practices within criminal infrastructure can be turned against threat actors. StealC is information-stealing malware operating under a Malware-as-a-Service (MaaS) model since early 2023. It enables customers to steal passwords, session cookies, and other sensitive data from infected systems.[1]
In spring 2025, the developers released StealC v2, which introduced a new codebase and features, including server-side decryption of certain browser data. Shortly after, the web panel leaked, prompting technical analyses that highlighted flaws in encryption claims and overall code quality.
CyberArk researchers identified a simple cross-site scripting (XSS) vulnerability in the leaked StealC web panel. By exploiting this flaw, they gained visibility into operator activity, including system fingerprints, active sessions, and session cookies. This allowed them to monitor and interact with the panel from their own systems. The irony lies in the fact that an operation centered on large-scale cookie theft failed to implement basic protections, such as the HttpOnly flag on session cookies, against XSS attacks.
The research focuses on a specific operator, referred to as YouTubeTA. This actor distributed StealC via YouTube videos that promoted "free software downloads," particularly cracked versions of Adobe products such as Photoshop and After Effects. Channels used for distribution often featured thousands of subscribers and legitimate videos posted years earlier, lending credibility. Many victims were shown in screenshots searching for cracked software on YouTube at the time of infection.
StealC build IDs associated with this operator included names such as "YouTube," "YouTube2," and "YouTubeNew." The malware captured more than 5,000 logs from victims, containing more than 390,000 stolen passwords and more than 30 million cookies (most of which were non-sensitive tracking cookies). The operator also used the panel's "markers" feature to highlight credentials from studio.youtube.com, suggesting an attempt to hijack YouTube content-creator accounts for further promotion.
Analysis indicated that YouTubeTA is likely a single individual. Evidence included a single admin user in the panel, consistent hardware fingerprints (e.g., screen resolution and WebGL renderer indicating an Apple device with an M3 processor), supported languages (English and Russian), and a time zone of GMT+0300 (Eastern European Summer Time). The operator typically used a VPN but slipped on several occasions in mid-July 2025, thereby exposing an IP address associated with a Ukrainian ISP (TRK Cable TV). This leads to a probable location in Eastern Europe.
The research illustrates the fragility of MaaS operations, in which rushed development and reused code create exploitable vulnerabilities. By exposing customer data through such flaws, researchers and law enforcement may gain valuable insights into malware operators and their networks in the future. CyberArk emphasizes that the work was conducted using publicly available information and leaked artefacts for defensive and educational purposes.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/-stealc-malware-distributed-on-youtube-9033.html
Comments