- CyberArk exploited StealC’s control panel via source leak and XSS flaw
- Researchers exposed attacker “YouTubeTA,” who stole 390,000 passwords and 30M cookies
- Findings may disrupt StealC operations by attracting further scrutiny and attacks
Cybersecurity researchers have managed to break into the web-based control panel for the StealC infostealer and gain valuable information on how the malware operates, and who both the attackers and the victims are.
StealC is an immensely popular infostealer malware which first emerged a couple of years ago, and has since become one of the staples of the cybercriminal community.
It can collect and exfiltrate sensitive data such as web browser credentials, cookies, system information, messaging app and email data, as well as cryptocurrency wallet details, and it offers different features such as modular targeting, stealthy execution, and flexible command-and-control communications.
Doxxing victims
Security researchers from CyberArk found two ways to access the control panel; through a source code leak that happened around April 2025, and through a cross-site scripting (XSS) vulnerability they discovered.
“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details,” the researchers said. “Additionally, we were able to retrieve active session cookies, which allowed us to gain control of sessions from our own machines.”
The report details one threat actor, dubbed “YouTubeTA”, who used stolen credentials to log into legitimate YouTube channels and plant links for the malware. The campaign brought YouTubeTA more than 5,000 victim logs, 390,000 passwords, and 30 million cookies.
CyberArk discovered that the attacker used an Apple M3-based device, with English and Russian language settings. The time zone was set to Eastern Europe, and on at least one occasion, they logged in from Ukraine. Usually, cybercriminals would only log in through a VPN to cover their tracks, but this threat actor forgot to do that once, revealing their IP address, which is linked to the Ukrainian ISP TRK Cable TV.
By releasing this news, CyberArk hopes StealC will also be targeted by other players, both benign and malicious, thus disrupting the entire operation.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Source: TechRadar
