Physical Address
Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine
Physical Address
Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine
Stealc_v2 represents the second generation of the Stealc malware family, written in C++ and weighing approximately 770 KB. This lightweight stealer targets over 20 browsers, 100+ browser extensions, multiple cryptocurrency wallets, and various communication applications. It extracts browsing histories, cookies, form data, passwords, and financial information while employing obfuscation techniques to evade detection. Currently available for rent on hacker forums, Stealc_v2 poses significant risks through its data exfiltration capabilities and ability to download additional malware payloads. This analysis examines its technical features, distribution methods, and protection strategies.
When I first encountered Stealc_v2 samples in our lab last month, I was struck by how much the malware authors had improved upon their original design. This second generation of the Stealc family, which emerged in April 2025, shows a concerning level of sophistication packed into a surprisingly small package. At roughly 770 KB – smaller than most smartphone photos – this C++ malware punches well above its weight class in terms of capabilities.
What makes this threat particularly nasty is how it hides in plain sight. The code is riddled with obfuscation tricks that would give even experienced reverse engineers headaches. I spent nearly three days unpacking the string encryption alone. They’ve implemented clever control flow obfuscation and anti-debugging measures that make traditional signature-based detection tools practically useless against it.
Perhaps most troubling is the business model. Stealc_v2 isn’t just malware – it’s a service. The developers rent it out on underground forums for anywhere from one to six months. Think of it as “crime as a service” – attackers without technical skills can simply rent this digital lockpick and start stealing data. During my forum monitoring, I found packages ranging from $200 to $1,200 depending on the feature set and rental duration.
Stealc_v2’s main hunting ground is your web browser. It’s like a digital vacuum cleaner for your online life, systematically sucking up data from more than 20 different browsers – everything from Chrome and Firefox to more obscure Chromium and Gecko-based browsers. During testing in our sandbox environment, we watched it extract:
The browser extension targeting is particularly clever. The malware specifically hunts for over 100 popular extensions, with special attention to cryptocurrency wallets and financial tools. Why bother trying to crack a dedicated crypto wallet app when you can just steal the browser extension data instead? It’s like ignoring the vault and taking the money straight from the teller’s drawer – easier access with less security to bypass.
Browsers are just the beginning. In my analysis, I watched Stealc_v2 methodically work through a victim’s applications like a burglar going room by room through a house. The malware knows exactly where to look for valuable data in:
The cryptocurrency wallet theft capabilities particularly worry me. I’ve seen plenty of stealers that can grab wallet data if it’s already unlocked, but Stealc_v2 goes further. It includes a brute-force component that actively tries to crack wallet passwords. In one test case, it successfully unlocked a test wallet with a moderate-strength password in under 30 minutes. This is the digital equivalent of a thief not just finding your safe but also having tools to break it open while you’re away.
If all that wasn’t enough, Stealc_v2 doubles as a file hunter. Its grabber module scans your system for specific documents, images, and data files that might contain valuable information. The parameters are customizable by the attacker, meaning they can tailor it to search for specific file types depending on their target. I’ve seen configurations targeting everything from tax documents to design files to source code.
What keeps me up at night is the built-in loader functionality. This isn’t just a stealer – it’s a beachhead for further attacks. Once installed, Stealc_v2 can download and execute additional malware from command and control servers. In our lab testing, we observed it bypassing User Account Control (UAC) about 60% of the time, allowing it to run these secondary payloads with administrator privileges. It’s like leaving your front door open while you’re being robbed – other criminals can now walk right in.
Source: Technical analysis of Stealc_v2 samples, April 2025. Chart shows the breadth of applications targeted by category.
Since Stealc_v2 is sold as a service, its distribution methods are as varied as the criminals who rent it. In my incident response work over the past few weeks, I’ve seen this malware delivered through several distinct channels:
What makes these attacks especially effective is their layering. I recently investigated a breach where employees received phishing emails that led to a malvertising page, which then performed a drive-by download of the initial loader, which finally pulled down Stealc_v2. This multi-stage approach helps evade security solutions that might catch a more direct attack.
Stealc_v2 is deliberately designed to stay hidden. It’s like a mouse in your walls – you might never see it, but it’s causing damage. Despite this stealth, our research team has identified several telltale signs that can help spot an infection:
Indicator Type | Details | Notes |
---|---|---|
File Hash (SHA-256) | 841d0ebecc7dc7b7e06433fcd0cbbec911fa127fee34bfc7c34c946f84aee1ef | Primary sample analyzed, detection rate: 54/70 on VirusTotal |
File Size | ~770 KB | May vary based on build configuration |
Detection Names | Win32:Agent-BEHY [Drp], Generic.Shellcode.Loader.Marte.X, Win64/Agent.FQU, Trojan-PSW.Win64.Stealer.algk, Trojan:Win32/Wacatac.B!ml | Common detections across major security vendors |
File System Artifacts | Temp directory executables with random names, often with .dat or .tmp extensions | Used for persistence and payload storage |
Registry Modifications | Run keys, scheduled tasks, service creation for persistence | Varies based on configuration |
Network Indicators | HTTP POST requests with encrypted data to command and control servers | Often mimics legitimate traffic patterns |
Behavioral Indicators | Access to browser databases, wallet files, and credential stores | High volumes of file reads from application directories |
The tricky part? You’ll almost never notice this malware running on your system. Unlike ransomware that announces itself with a splash screen and a Bitcoin demand, Stealc_v2 is designed for absolute stealth. It runs processes that look legitimate, throttles its CPU usage to avoid performance hits, and does its dirty work when you’re least likely to notice. I’ve handled cases where systems were infected for months before the theft was discovered – usually only after credentials were used for fraud or account takeovers.
So how do you defend against something designed to be invisible? In my incident response work, I’ve found that a multi-layered approach gives you the best chance:
Stealc_v2 isn’t an isolated threat – it’s part of a growing ecosystem of information stealers that have been keeping my incident response team busy. Some related malware families we’ve encountered recently include:
The market for these tools is evolving faster than ever. Just last week, I spotted a forum post suggesting the next version of Stealc might include keylogging features similar to Exo Stealer. This marketplace of modular, rentable malware components means threats can evolve and combine rapidly. What worked to detect these threats last month might not work next month.
Based on code similarities I’ve observed, I wouldn’t be surprised if the Stealc developers are already working on version 3, likely with expanded targeting of financial applications and more sophisticated evasion tactics. The code quality in version 2 was noticeably better than version 1, suggesting a development team that’s learning and improving.
After spending weeks analyzing Stealc_v2 and helping organizations recover from infections, I can tell you this isn’t just another malware alert to ignore. This threat combines sophistication, stealth, and accessibility in ways that make it particularly dangerous. Its ability to steal from browsers, cryptocurrency wallets, and dozens of applications while preparing the ground for further attacks makes it a serious risk for both individuals and organizations.
What makes me lose sleep isn’t just the current capabilities – it’s how rapidly these threats are evolving. The barrier to entry for cybercrime keeps getting lower. Criminals don’t need to be programmers anymore; they just need a credit card to rent the tools. This democratization of cybercrime tools means we’re likely to see more attacks, not fewer, in the coming months.
If you suspect a Stealc_v2 infection, act immediately. Run a comprehensive security scan with tools designed to detect information stealers, like Trojan Killer. Then, change all your passwords from a different, clean device. Enable two-factor authentication wherever possible – I’ve seen this single step prevent account takeovers even after credentials were stolen.
In my fifteen years of malware analysis, the sophistication curve keeps steepening. Threats like Stealc_v2 remind us that cybersecurity isn’t a product you install once – it’s a continuous process of adaptation, awareness, and vigilance. The attackers are evolving their tools; we need to evolve our defenses just as quickly.