Cybersecurity researchers have exposed a serious security defect in the control panel used by operators of the StealC information-stealing malware, giving defenders an unusual opportunity to observe the inner workings of a criminal operation and gather intelligence on threat actors.

StealC, a widely distributed infostealer malware offered under a Malware-as-a-Service (MaaS) model since early 2023, is designed to siphon sensitive information from infected systems. It typically targets web browsers, capturing saved passwords, session cookies, autofill data, cryptocurrency wallets, and other credentials.

What Went Wrong in the Criminal Infrastructure

While analyzing StealC’s infrastructure, researchers discovered a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators to manage campaigns and view stolen data. An XSS flaw allows malicious JavaScript to execute in the victim’s browser by exploiting improper validation of user input—potentially allowing attackers (or in this case, researchers) to hijack sessions and access sensitive information such as session cookies.

The flaw was present in the panel’s code after the malware developer inadvertently leaked the source code for the control panel. This leak gave security teams the rare chance to audit the panel’s internals and identify the vulnerable portions of the web interface.

Ironically, despite StealC’s core business being cookie theft, the panel failed to protect its own session cookies with basic security measures like HttpOnly flags, which are designed to make cookies inaccessible to client-side scripts. This oversight made it possible for researchers to extract session cookies and impersonate active sessions in the control panel.

What the Exploit Revealed

By exploiting the vulnerability, researchers were able not only to spy on active malware operators but also to collect details about their systems, including hardware configurations and geographic clues. In one notable case, researchers identified a StealC customer using the moniker “YouTubeTA”. This operator used YouTube to distribute StealC by posting links that appeared to be cracked versions of popular software like Adobe Photoshop and After Effects.

Analysis of the leaked panel data indicated that this operator amassed over 5,000 logs, containing roughly 390,000 stolen passwords and more than 30 million cookies—though many of these cookies appeared to be tracking data rather than sensitive authentication tokens.

Researchers even uncovered an operational lapse in which the operator connected to the panel without a VPN, revealing a real IP address linked to an Eastern European internet provider and suggesting the actor was operating from a Russian-speaking region.

A Win for Security Research

Rather than publicly disclosing the technical details of the flaw—which could aid other malicious actors or prompt the StealC developers to patch it—security professionals chose to keep specifics under wraps. Their focus was on using the vulnerability strategically to gain insights into the malware’s operations and the individuals using it.

This unusual scenario highlights how weak security practices in criminal infrastructure can be exploited by defenders, potentially offering a valuable perspective into underground cybercrime ecosystems. It also underscores the evolving landscape of malware development and the necessity for robust security practices—even among threat actors—to avoid being turned against themselves.