Beware, new infostealing Stealc malware emerges

Martin Brinkmann
Feb 22, 2023

Steac is the name of a new malware that has emerged on the dark web in January 2023. First reported by SEKOIA (via Neowin), Steac is an information stealer that is not completely new, but based on other information stealers, including Vidar, Raccoon and Redline.

stealc malware fake downloads

In February 2023, SEKOIA found evidence that Stealc was used in attacks on the Internet. More than 40 Stealc Command and Control servers were identified by SEKOIA in February. On the malware side, several dozen Stealc malware samples were found that were distributed in the wild.

Company researchers traced back the first traces of Stealc back to a Dark Web forum post. On January 9, 2023, Stealc was advertised in dark web forums. A detailed description of the malware was provided by the user, which included a list of its capabilities, management and control options, and several technical information.

Steac malware functionality

The information stealer prioritizes certain kinds of data over others by default:

  • Popular cryptocurrency wallet web browser extensions, 75 plugins at the time of writing.
  • Popular web browsers, about 22 in total.
  • Desktop cryptocurrency wallets, 25 wallets at the time.
  • Information from email clients and messengers.

Threat actors may customize the data collection, which sets it apart from some of the other information stealers that are sold on the dark web. Stealc includes another component, a customizable file grabber, that is looking for files specified during configuration; this makes it a very powerful and unpredictable tool.

Another component of Stealc is the loader, which is commonly seen in Malware-as-a-Service operations.

On the administrative side, Stealc provides threat actors with a wide range of capabilities and controls. Administrators may use it to set up and customize the malware, download stolen data from the control server, and access data directly. Access options include parsing, displaying, filtering, sorting and analyzing the downloaded data.

SEKOIA notes that log handling is a major aspect of information stealers with Malware-as-a-Service components. Threat actors often attempt to sell log data on dark web marketplaces, which makes a download option essential for that task.

The user who advertised Stealc on the dark web expanded their advertising campaign to other channels, including Telegram groups and exploit hacking forums. They offered free malware demonstrations in order to gain community trust.

In addition to these marketing activities, they also published frequent changelogs to different forums and a dedicated Telegram group. These showcased improvements and new feature additions that were implemented during development. Since January 9, 2023, three major updates were released that introduced features such as random Command and Control URLs, browser history collections, or an logs archive. SEKOAI published a technical analysis of Stealc on its website.

Stealc is currently distributed through various channels. Attacks are ongoing, and a common form involves cracking videos on YouTube that prompt viewers to download a program to their systems. The program includes the Stealc malware, which attempts to infect the system on execution. Malware may also be distributed via Google ads, forum messages and other channels.

SEKOIA expects that Stealc will become widespread in the near time.

As far as protection is concerned, keeping security software up to date is important. Almost equally important is to avoid executing files downloaded from sites that do not have a good reputation. If that needs to be done, it is essential to run these programs either in a sandbox, e.g., Windows Sandbox, or a virtual environment, to protect data on the main system.

Beware, new infostealing Stealc malware emerges
Article Name
Beware, new infostealing Stealc malware emerges
Steac is the name of a new malware that has emerged on the dark web in January 2023 and is currently used in information stealing attacks.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. ShintoPlasm said on February 22, 2023 at 9:05 pm

    *Laughs in Linux*

    1. Rex said on February 24, 2023 at 3:10 am

      This is a PEBKAC problem, a dumbass using Linux is only slightly safer than one using Windows. As always, such attacks will only hit morons who download suspicious software or go looking for legit software from anywhere other than the official website.

    2. Anonymous said on February 22, 2023 at 10:24 pm

      Which distribution do you use? I’m leaving Windows 11 behind because it’s so bad.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.