StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader

In a comprehensive technical report, ThreatLabz has dissected the inner workings of StealC V2, a major upgrade to one of the most elusive information-stealing malware families in circulation. Since its debut in early 2023, StealC has gained traction among cybercriminals for its stealth, modularity, and flexibility. The March 2025 release of StealC V2 introducs a redesigned control panel, expands payload support, and upgrades encryption mechanisms.

While originally developed as an information stealer, StealC V2 has become a multi-functional malware delivery platform, able to exfiltrate sensitive data, deploy additional payloads, and bypass detection with surgical precision.

“StealC V2… utilizes a JSON-based network protocol with RC4 encryption implemented in recent variants,” the report states, highlighting its evolution from plaintext communication to encrypted data exfiltration.

ThreatLabz also confirmed StealC V2 now delivers Microsoft Software Installer (MSI) packages, PowerShell scripts, and EXE binaries—a significant enhancement over its predecessor.

The revamped control panel integrates a builder that allows threat actors to create highly targeted campaigns:

“A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software.”

Rule-based payload delivery means StealC can detect whether a victim has cryptocurrency wallets, gaming software, or email clients like Outlook—and then tailor its response accordingly. A screenshot shows one such marker set to trigger on stolen data containing coinbase.com, enabling automated follow-up payloads.

StealC V2, Info-Stealer — StealC V2 Marker rule which will search for coinbase.com | Image: ThreatLabz

StealC V2 now includes:

Multi-monitor screenshot capture
A unified file grabber targeting:
- Cryptocurrency wallets
- Gaming applications
- VPNs
- Instant messengers
- Browsers
Server-side brute-forcing of stolen credentials

The malware avoids execution on systems using Commonwealth of Independent States (CIS) languages and includes checks for duplicate processes, improving its stealth.

One of the most critical upgrades is the implementation of RC4 encryption for both network traffic and internal string obfuscation. Each message includes a unique key-value pair to prevent detection via static signatures, “This technique is used to avoid static signatures for the responses,” ThreatLabz explains.

Despite its sophistication, StealC V2 does not establish persistence. However, it is frequently deployed alongside other malware—such as Amadey—in multi-stage infection chains. StealC V2 samples are often packed with Themida, and its execution includes a two-stage string deobfuscation routine.

Interestingly, early versions of V2 included fake 404 errors to obfuscate command-and-control servers, but this feature was later patched after being flagged by researchers.

StealC’s ecosystem includes version-controlled builder templates that are distributed via encrypted ZIP archives. The control panel requires operators to submit their C2 path and encryption key to the seller, who then issues a tailored builder template. Updates are enforced via JSON-based manifests, “The builder requires a version update… to be uploaded via the framework’s admin settings,” the report notes, ensuring operational consistency.

ThreatLabz concludes that StealC V2 is under active development, with frequent updates, version tracking, and a growing feature set designed to evade defenses and maximize payload efficiency, “StealC V2 introduces improvements… that provide more targeted information collection.”

With its modular architecture, stealthy communications, and highly customizable deployment strategy, StealC V2 remains one of the most potent and adaptable info-stealing platforms circulating in cybercrime forums today.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply