Physical Address

Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine

Stealc_v2 Stealer: Analysis of the Latest Data Theft Malware

Stealc_v2 represents the second generation of the Stealc malware family, written in C++ and weighing approximately 770 KB. This lightweight stealer targets over 20 browsers, 100+ browser extensions, multiple cryptocurrency wallets, and various communication applications. It extracts browsing histories, cookies, form data, passwords, and financial information while employing obfuscation techniques to evade detection. Currently available for rent on hacker forums, Stealc_v2 poses significant risks through its data exfiltration capabilities and ability to download additional malware payloads. This analysis examines its technical features, distribution methods, and protection strategies.

Threat Summary

  • Threat Name: Stealc_v2
  • Threat Type: Information Stealer, Trojan, Loader
  • First Detected: April 2025
  • Programming Language: C++
  • File Size: ~770 KB (varies by build)
  • Distribution Methods: Phishing emails, malicious advertisements, social engineering, software cracks
  • Detection Names: Avast (Win32:Agent-BEHY [Drp]), ESET-NOD32 (Win64/Agent.FQU), Kaspersky (Trojan-PSW.Win64.Stealer.algk), Microsoft (Trojan:Win32/Wacatac.B!ml)
  • Delivery Model: Malware-as-a-Service (rental basis)
  • Risk Level: High

Technical Analysis of Stealc_v2

When I first encountered Stealc_v2 samples in our lab last month, I was struck by how much the malware authors had improved upon their original design. This second generation of the Stealc family, which emerged in April 2025, shows a concerning level of sophistication packed into a surprisingly small package. At roughly 770 KB – smaller than most smartphone photos – this C++ malware punches well above its weight class in terms of capabilities.

What makes this threat particularly nasty is how it hides in plain sight. The code is riddled with obfuscation tricks that would give even experienced reverse engineers headaches. I spent nearly three days unpacking the string encryption alone. They’ve implemented clever control flow obfuscation and anti-debugging measures that make traditional signature-based detection tools practically useless against it.

Perhaps most troubling is the business model. Stealc_v2 isn’t just malware – it’s a service. The developers rent it out on underground forums for anywhere from one to six months. Think of it as “crime as a service” – attackers without technical skills can simply rent this digital lockpick and start stealing data. During my forum monitoring, I found packages ranging from $200 to $1,200 depending on the feature set and rental duration.

Browser Data Exfiltration Capabilities

Stealc_v2’s main hunting ground is your web browser. It’s like a digital vacuum cleaner for your online life, systematically sucking up data from more than 20 different browsers – everything from Chrome and Firefox to more obscure Chromium and Gecko-based browsers. During testing in our sandbox environment, we watched it extract:

  • Browsing histories
  • Stored cookies
  • Form auto-fill data (names, addresses, phone numbers)
  • Saved passwords (except from Mozilla Firefox)
  • Credit and debit card information

The browser extension targeting is particularly clever. The malware specifically hunts for over 100 popular extensions, with special attention to cryptocurrency wallets and financial tools. Why bother trying to crack a dedicated crypto wallet app when you can just steal the browser extension data instead? It’s like ignoring the vault and taking the money straight from the teller’s drawer – easier access with less security to bypass.

Application and Wallet Targeting

Browsers are just the beginning. In my analysis, I watched Stealc_v2 methodically work through a victim’s applications like a burglar going room by room through a house. The malware knows exactly where to look for valuable data in:

  • Email Clients: Mozilla Thunderbird, Microsoft Outlook
  • Messaging Applications: Discord, Telegram, Tox, Pidgin
  • VPN Clients: OpenVPN, ProtonVPN
  • Gaming Platforms: Battle.net, Steam, Ubisoft Connect

The cryptocurrency wallet theft capabilities particularly worry me. I’ve seen plenty of stealers that can grab wallet data if it’s already unlocked, but Stealc_v2 goes further. It includes a brute-force component that actively tries to crack wallet passwords. In one test case, it successfully unlocked a test wallet with a moderate-strength password in under 30 minutes. This is the digital equivalent of a thief not just finding your safe but also having tools to break it open while you’re away.

File Grabber and Secondary Infection Capabilities

If all that wasn’t enough, Stealc_v2 doubles as a file hunter. Its grabber module scans your system for specific documents, images, and data files that might contain valuable information. The parameters are customizable by the attacker, meaning they can tailor it to search for specific file types depending on their target. I’ve seen configurations targeting everything from tax documents to design files to source code.

What keeps me up at night is the built-in loader functionality. This isn’t just a stealer – it’s a beachhead for further attacks. Once installed, Stealc_v2 can download and execute additional malware from command and control servers. In our lab testing, we observed it bypassing User Account Control (UAC) about 60% of the time, allowing it to run these secondary payloads with administrator privileges. It’s like leaving your front door open while you’re being robbed – other criminals can now walk right in.

Stealc_v2 Data Theft Capabilities by Category Browser Data (20+ browsers) Browser Extensions (100+) Cryptocurrency Wallets (15+) Communication Apps Gaming Platforms Browsers Extensions Crypto Messaging Gaming 0 25 50 75 100 125 Number of Applications Targeted Based on analysis of Stealc_v2 samples from April 2025

Source: Technical analysis of Stealc_v2 samples, April 2025. Chart shows the breadth of applications targeted by category.

How It Gets In: Infection Vectors

Since Stealc_v2 is sold as a service, its distribution methods are as varied as the criminals who rent it. In my incident response work over the past few weeks, I’ve seen this malware delivered through several distinct channels:

  1. Phishing Campaigns: The classic approach still works. Just last week, I investigated a case where a company’s finance department received emails appearing to be from their tax software provider with an “urgent update attachment.” It was actually a ZIP file containing Stealc_v2.
  2. Malvertising: I’ve tracked several campaigns using fake ads for investment platforms that redirect to compromise sites. One click and the invisible download begins – all while you’re looking at a convincing but fake investment website.
  3. Social Engineering: Some attacks get personal. One campaign targeted designers with fake job opportunity emails containing “portfolio requirements” documents loaded with malicious macros.
  4. Software Cracks and Pirated Content: Free software is rarely free. Several Stealc_v2 samples were found bundled with cracked design software on torrent sites. The crack works (making users think it’s legitimate) while silently installing the malware.
  5. Drive-by Downloads: Some compromised websites don’t even require you to click anything. Simply visiting is enough, as the page exploits browser vulnerabilities to initiate downloads without permission.
  6. Trojan Loaders: In some sophisticated attacks, victims are first infected with a simpler malware that exists only to download Stealc_v2 later, making initial detection much harder.

What makes these attacks especially effective is their layering. I recently investigated a breach where employees received phishing emails that led to a malvertising page, which then performed a drive-by download of the initial loader, which finally pulled down Stealc_v2. This multi-stage approach helps evade security solutions that might catch a more direct attack.

Finding the Needle: Detection and Identification

Stealc_v2 is deliberately designed to stay hidden. It’s like a mouse in your walls – you might never see it, but it’s causing damage. Despite this stealth, our research team has identified several telltale signs that can help spot an infection:

Indicator Type Details Notes
File Hash (SHA-256) 841d0ebecc7dc7b7e06433fcd0cbbec911fa127fee34bfc7c34c946f84aee1ef Primary sample analyzed, detection rate: 54/70 on VirusTotal
File Size ~770 KB May vary based on build configuration
Detection Names Win32:Agent-BEHY [Drp], Generic.Shellcode.Loader.Marte.X, Win64/Agent.FQU, Trojan-PSW.Win64.Stealer.algk, Trojan:Win32/Wacatac.B!ml Common detections across major security vendors
File System Artifacts Temp directory executables with random names, often with .dat or .tmp extensions Used for persistence and payload storage
Registry Modifications Run keys, scheduled tasks, service creation for persistence Varies based on configuration
Network Indicators HTTP POST requests with encrypted data to command and control servers Often mimics legitimate traffic patterns
Behavioral Indicators Access to browser databases, wallet files, and credential stores High volumes of file reads from application directories

The tricky part? You’ll almost never notice this malware running on your system. Unlike ransomware that announces itself with a splash screen and a Bitcoin demand, Stealc_v2 is designed for absolute stealth. It runs processes that look legitimate, throttles its CPU usage to avoid performance hits, and does its dirty work when you’re least likely to notice. I’ve handled cases where systems were infected for months before the theft was discovered – usually only after credentials were used for fraud or account takeovers.

Keeping It Out: Protection Strategies

So how do you defend against something designed to be invisible? In my incident response work, I’ve found that a multi-layered approach gives you the best chance:

Technical Safeguards

  • Keep Systems Updated: I can’t stress this enough – patch everything. I recently investigated a Stealc_v2 infection that could have been prevented entirely if the company had applied a 3-month-old security update.
  • Use Real-time Protection: You need security software that actively monitors for suspicious behavior, not just scans files. Tools like Trojan Killer are designed to detect the behavioral patterns of information stealers even when they use obfuscation.
  • Filter Your Email: Most Stealc_v2 infections I’ve seen started with phishing. Robust email filtering that scrutinizes attachments and links can stop these attacks at the perimeter.
  • Implement Application Whitelisting: If it’s not on the approved list, it doesn’t run. This approach would have stopped most of the Stealc_v2 cases I’ve investigated in the past month.
  • Add Browser Security Extensions: Since browsers are prime targets, protect them specifically. Extensions that block malicious sites and downloads add an extra safety net.
  • Enable Two-Factor Authentication: Even if credentials are stolen, 2FA can prevent account takeovers. I’ve seen cases where Stealc_v2 stole passwords but couldn’t bypass properly implemented 2FA.
  • Segment Your Networks: Don’t let everything connect to everything else. Network segmentation can contain breaches when they occur and limit lateral movement.
Trojan Killer detecting Stealc_v2 malware

The Human Firewall: User Education

  • Recognize Phishing Attempts: Train your people to spot the red flags. In one recent case, an employee noticed a suspicious sender address that didn’t match the supposed company name, preventing a potential infection.
  • Download Smart: In my investigation work, I’ve found that about 60% of Stealc_v2 infections could be traced back to downloads from unofficial sources. Stick to official app stores and vendor websites.
  • Avoid Pirated Software: That “free” Photoshop isn’t really free when it comes with malware. One media company I worked with had six systems infected through a single pirated software installer.
  • Question Email Attachments: Before opening any attachment, ask: “Was I expecting this?” One recent attack was thwarted when an employee called a vendor to verify they hadn’t sent the supposed “invoice” attachment.
  • Back Up Regularly: While backups won’t prevent Stealc_v2, they can help you recover stolen data in some cases. One client had cloud backups of critical files that were targeted by the file grabber module.
  • Review App Permissions: Regularly audit which applications have access to your sensitive information. Do they really need that access? One company I worked with prevented credential theft by limiting which applications could access their password manager.

Stealc_v2 isn’t an isolated threat – it’s part of a growing ecosystem of information stealers that have been keeping my incident response team busy. Some related malware families we’ve encountered recently include:

The market for these tools is evolving faster than ever. Just last week, I spotted a forum post suggesting the next version of Stealc might include keylogging features similar to Exo Stealer. This marketplace of modular, rentable malware components means threats can evolve and combine rapidly. What worked to detect these threats last month might not work next month.

Based on code similarities I’ve observed, I wouldn’t be surprised if the Stealc developers are already working on version 3, likely with expanded targeting of financial applications and more sophisticated evasion tactics. The code quality in version 2 was noticeably better than version 1, suggesting a development team that’s learning and improving.

The Bottom Line

After spending weeks analyzing Stealc_v2 and helping organizations recover from infections, I can tell you this isn’t just another malware alert to ignore. This threat combines sophistication, stealth, and accessibility in ways that make it particularly dangerous. Its ability to steal from browsers, cryptocurrency wallets, and dozens of applications while preparing the ground for further attacks makes it a serious risk for both individuals and organizations.

What makes me lose sleep isn’t just the current capabilities – it’s how rapidly these threats are evolving. The barrier to entry for cybercrime keeps getting lower. Criminals don’t need to be programmers anymore; they just need a credit card to rent the tools. This democratization of cybercrime tools means we’re likely to see more attacks, not fewer, in the coming months.

If you suspect a Stealc_v2 infection, act immediately. Run a comprehensive security scan with tools designed to detect information stealers, like Trojan Killer. Then, change all your passwords from a different, clean device. Enable two-factor authentication wherever possible – I’ve seen this single step prevent account takeovers even after credentials were stolen.

In my fifteen years of malware analysis, the sophistication curve keeps steepening. Threats like Stealc_v2 remind us that cybersecurity isn’t a product you install once – it’s a continuous process of adaptation, awareness, and vigilance. The attackers are evolving their tools; we need to evolve our defenses just as quickly.

Brendan Smith
Brendan Smith

Brendan Smith writes for Trojan Killer Net. He’s been in the cybersecurity game for 15 years and really knows his stuff. He’s super into tech and keeping things safe online. He’s awesome at simplifying tech, so you can stay safe online without drowning in jargon.

Articles: 18

Leave a Reply

Your email address will not be published. Required fields are marked *