Arkanix Stealer Emerges as Sophisticated MaaS Threat, Targeting Browsers, Crypto Wallets, and Messaging Platforms

CyberDefender 8 mins0

In late 2025, researchers from Kaspersky’s Securelist unearthed a previously unknown information-stealing malware dubbed Arkanix Stealer. Unlike long-standing commodity malware families, Arkanix was notable for its rapid development cycle, dual-language codebase (Python and C++), and modular architecture—features that enabled efficient data harvesting and sophisticated post-exploitation capabilities.

Background: Emergence and Ecosystem

Arkanix Stealer was first observed advertised on underground forums and Discord channels in October 2025. The authors marketed it under a Malware-as-a-Service (MaaS) model—selling access to both the malware payload and an online control panel where operators could configure features and monitor stolen data.

Unlike traditional turnkey malware, this service included configurable payloads, a referral program, and tiered feature sets, mirroring legitimate software distribution practices. However, by the time Securelist published its analysis (February 19, 2026), the affiliate panel and promotional infrastructure had already been taken down.

Infection & Delivery Mechanisms

The precise primary infection vector for Arkanix remains undetermined, but available loader artifacts strongly suggest phishing and social-engineering tactics. Filenames such as steam_account_checker_pro_v1.py, discord_nitro_checker.py, and TikTokAccountBotter.exe indicate that malicious campaigns masqueraded as game-related tools or utility scripts to lure victims into executing hostile payloads.

Once executed, these loader scripts perform the following general sequence:

  1. Install required Python modules (e.g., requests, pycryptodome, psutil) without proper validation.
  2. Register the compromised host with the Arkanix control infrastructure via API calls.
  3. Retrieve and execute the core infostealer logic dynamically.

This flexible delivery model allowed threat actors to deploy multiple variants and modify features on the fly.

Architecture: Python and Native C++ Implementations

Python Variant

The Python-based version relied on interpreted logic for rapid feature updates. Upon launch, it dynamically requested configuration and payload updates from the command-and-control (C2) server. Its modular structure enabled aggressive expansion of exfiltration capabilities without altering the base loader.

Key features included:

  • Browser Data Extraction: Credentials, cookies, autofill data, and browsing history from 22 supported browsers, with targeted focus on financial and cryptocurrency-related keywords.
  • Telegram Data Collection: Full or selective ZIP archiving of Telegram session data and logs.
  • Discord Capabilities: Credential harvesting from the native and custom Discord clients, plus optional self-spreading via API misuse.
  • VPN Credential Harvesting: Extraction of saved credentials from major VPN client files (e.g., NordVPN, ExpressVPN, ProtonVPN).
  • Arbitrary File Retrieval: Targeted search and exfiltration of documents and media matching a curated list of sensitive filenames.

Collected data was serialized and saved locally before exfiltration to the C2 server—making detection and forensic analysis more challenging.

Native C++ Variant

The C++ build represented the production-grade release of Arkanix with the following notable characteristics:

  • VMProtect Obfuscation: Built-in code obfuscation complicated static analysis and signature-based detection.
  • Anti-Instrumentation Tactics: Checks were implemented to detect sandboxed environments and debuggers before execution.
  • Advanced Exfiltration Modules: Additional components such as remote desktop protocol (RDP) credential harvesting, gaming platform credential theft (e.g., Steam, Epic Games), and screenshot capture via WinAPI.
  • Process Injection: The C++ variant could inject hostile code into browser processes to bypass security boundaries and extract protected credentials (e.g., the Chrome master key).

Both variants exhibited encrypted communication with C2 using modern cryptographic schemes, increasing resistance to interception and analysis.

Capabilities and Targeting

Arkanix’s objective was comprehensive data exfiltration. Targets included:

  • Stored browser credentials (passwords, cookies, autofill data)
  • Cryptocurrency wallets and associated extension data
  • Instant messaging session data
  • VPN and gaming platform credentials
  • System info (OS version, hardware, installed applications)

This wide net demonstrates a typical infostealer’s scope—seeking high-value credentials and digital assets for rapid monetization.

Command-and-Control Infrastructure & Lifecycle

Arkanix used a centralized C2 domain (arkanix[.]pw) routed through Cloudflare to obscure infrastructure details. Victim machines registered via API calls, and dynamic feature lists were delivered on demand.

Control panels allowed attackers to monitor compromise metrics and tailor payload distribution. The panel, now defunct, included a referral feature—suggesting an attempt to grow the affiliate base and weaponize social propagation like legitimate SaaS marketing.

Detection, Mitigation, and Prevention

Classic infostealer behavior involves silent data harvesting followed by asynchronous exfiltration. Detection strategies include:

  1. Behavioral analysis: Look for unusual outbound connections to known C2 domains or dynamic execution of scripts like Python modules.
  2. Endpoint monitoring: Watch for credential store access patterns, browser process injection, or encryption API misuse.
  3. User education: Phishing remains the dominant initial vector; user training reduces execution of lures like fake utilities and game tools.

Because stealers often use living-off-the-land binaries or pack legitimate components (e.g., Python interpreters), signature-based detection alone is insufficient—behavior-based and heuristic models are essential.

Conclusion

Arkanix Stealer represents a trend in rapidly evolving infostealer threats: modular, multi-language payloads sold as MaaS, with extensive feature sets aimed at maximizing credential and asset theft. While its campaign was relatively short-lived, the technical breadth—spanning browser exfiltration, VPN credential harvesting, messaging data theft, and modular C2 scaling—showcases the increasing sophistication of commercialized malware offerings.

CyberDefender