[in Google Cloud] “software exploitation overtook credentials as the primary initial access vector for the first time.” and “Threat actors exploited third-party software-based entry (44.5%) more frequently than weak credentials.” [A.C. — some of you may say this is because AI is making more zero days, but a dozen more mundane answers may be correct instead]
THR H1 2026 image 1
“While threat actors continued to use brute-force attacks against weak credentials, the increase in RCE represents a pivot toward more automated exploitation of unpatched application-layer vulnerabilities.” [A.C. — to some extent “creds or vulns” debate is rather pointless as the real answer is “both”, and it varies by environment too, see below]
“Threat actors continued to transition from traditional phishing to voice-based social engineering (vishing), and credential harvesting from third-party SaaS tokens to facilitate large-scale, silent data exfiltration.” [A.C. — again, this means “AND” not “OR” because classic phishing still works well in many cases, but yes “credential harvesting from third-party SaaS” has become very fruitful too]
[overall] Still “Identity compromise underpinned 83% of compromises.[A.C. — so, yes, “creds” still beat “vulns” on many environments]
THR H1 2026 image 2
“High-volume data theft operations — executed through compromised but legitimate access channels — remained the primary goal for threat actors, with our metrics showing they targeted data in 73% of cloud-related incidents.” [A.C. — again, not new, but very useful data confirming the running trend. Beware!]
“The window between vulnerability disclosure and mass exploitation collapsed by an order of magnitude, from weeks to days.” [A.C. — again, some of you may see the invisible robot hand of an AI here, but, as usual, the reality is more complicated…]
“Trend analysis from 2008–2025 indicates cloud services will soon surpass email as the primary data exfiltration pathway.” [A.C. — $32B reasons to finally get serious about it across all clouds?]
“45% of intrusions resulted in data theft without immediate extortion attempts at the time of the engagement, and these were often characterized by prolonged dwell times and stealthy persistence.”
“The traditional incident response model is no longer viable when dealing with containerized workloads and serverless architectures where data can vanish in seconds.” [A.C. — a very useful reminder here! Cloud is cloudy! Don’t be that guy who thinks that cloud is a rented colo. Cloud is not JUST somebody else’s computer.]
“Threat actors used large language models (LLM) to automate credential harvesting and transition from a developer’s local environment to full cloud administration access.” [A.C. — this really should not be news for anybody in 2026, but if it is, HERE IS SOME NEWS: BAD GUYS USE AI!]
Thus “Prevent LLM exploitation as an extension of living-off-the-land (LOTL) by treating LLM activity with the same scrutiny as administrative command-line tools.” [A.C. — or, as I say, “with AI agents, every prompt injection is an RCE”]
This blog is perhaps a little bit more like an ad, so if you don’t want to check the ads, consider not reading it.
a very cyber image (Gemini)
But this year at RSA 2026, I’m speaking on three topics: securing AI, using AI for SOC, and sharing lessons about how Google applies AI and other technologies to D&R.
Here are these 3 fun things!
First, I’m doing a presentation on governing shadow AI agents. Believe it or not, this presentation was created mostly before OpenClaw became a thing (but updated for it!). So you may be surprised how well the content aged (think wine!) Attend this if you are struggling with shadow AI, specifically shadow agents at work.
It is not the APT! The new threat is the “shadow AI agents” employees already use for work, leaking data and making decisions. Banning them is a losing game. This session will offer a better way: turn this organic behavior into a catalyst for secure progress. Learn to discover, assess, and channel unsanctioned agents into a formal strategy that empowers a team rather than force it underground.
The second is probably the most detailed discussion about how we use AI for detection and response at Google. You probably read our blogs and listen to our talks (especially this), but this time we are revealing a lot more interesting details about the machinery and also how we arrived at the state we’re in. I promise you this will be fun! And detailed too.
Presenters will share the playbook for building and scaling AI agents in cybersecurity. Attendees will learn four core lessons: Building trust with the team, prioritizing real problems, measuring value, and establishing solid governance foundations for the agentic SOC.
Finally, the third isn’t a presentation but a discussion that would help you understand the real state of AI in security operations / SOC. This would not be about the slides, but about sharing lessons on what works and what doesn’t.
Attendees in this peer-led discussion will share stories from the AI-powered SOC trenches. Explore real adoption journeys from manual processes to autonomous agents. Share practical use cases on analyst retraining, workflow auditing, malware analysis, remediation automation, RAG pipelines and more. Trade notes on what’s working, what’s breaking, trust gaps, AI hallucinations, and career redesign.
All in all, join me for securing AI and Shadow Agents, learning from Google about detection and response, and comparing the state of practice of AI in the SOC.
Key findings
Proofpoint observed a new malware-as-a-service (MaaS) masquerading as a legitimate remote monitoring and management (RMM) tool. It calls itself TrustConnect.
The “business page” – clearly created by automated tooling of some kind– is actually the login for the MaaS. As of this writing, access was advertised at $300 per month.
Based on details of the malware creator, capabilities of the malware, and knowledge of the ecosystem, we assess with moderate confidence the threat actor behind TrustConnect was also a prominent user of Redline stealer.
Proofpoint, in collaboration with intelligence partners, disrupted some of the malware’s infrastructure, causing an impact to cybercrime activities. But the actor demonstrated resilience, with another fake RMM website identified shortly before publication that advertised malware called DocConnect.
Overview
RMM tools continue to be many attackers’ top choice for initial access. Such enterprise remote support software like SimpleHelp, SuperOps, Datto, N-able and others are frequently delivered via email campaigns by cybercrime actors or used as follow-on payloads once an actor achieves initial access. (As always, the legitimate RMM tools mentioned in this report are just that — legitimate. It’s the threat actors doing the abusing. We call out brand names strictly to explain what the actors misused, not because the vendors themselves had any hand in the activity.)
But at the end of January, Proofpoint observed a weird twist on the RMM landscape: a threat actor created a malware masquerading as an RMM called “TrustConnect Agent.”
Initially, TrustConnect appeared to be another legitimate RMM tool being abused. Given the sheer number of existing remote administration tools available for threat actors to choose from, and their prevalence in the threat landscape, it could have made sense. But upon investigation, Proofpoint researchers identified evidence that showed TrustConnect is actually new malware-as-a-service (MaaS) classified as a remote access trojan (RAT).
TrustConnect details
Malware portal
The malware domain, trustconnectsoftware[.]com, was created on 12 January 2026. This site purports to be an RMM tool called TrustConnectAgent. The malware creator uses the domain as the “business website” designed to convince the public (including certificate providers) that the software is a legitimate RMM app, providing fake details like customer statistics and software documentation. Proofpoint suspects the actor used an LLM to create the site.
This website is also the portal for criminals to sign up for the service and acts as the command and control (C2) for the malware. Cybercriminals are instructed to sign up for a "free trial", instructed on how to pay in cryptocurrency, and then verify payment in the TrustConnect portal.
Figure 1. TrustConnect “business website”.
The website is also the front they used to purchase a legitimate Extended Validation (EV) certificate in the name of "TrustConnect Software PTY LTD", supposedly based in Alexandra, South Africa. The certificate was valid from 27 January, and the actor used this EV certificate to sign the malware. Obtaining EV certificates costs thousands of dollars and requires additional levels of validation on behalf of the domain holder. Such certificates are supposed to demonstrate that the domain and related business is trustworthy. When used by threat actors, they can help criminals evade signature-based detections. Threat actors can pay malicious providers for EV certificates or attempt to create them on their own.
In collaboration with fellow researchers at The Cert Graveyard, Proofpoint was able to get the EV certificate revoked on 6 February 2026, removing the trick the actor was using to bypass security tools and adding friction to their operations. However, the revocation of the certificate was not backdated, so the old signed files remained valid. This aligns with the actor stopping new subscriptions, but current customers could still distribute the files via email campaigns.
Campaign details
Threat actors in the RMM ecosystem frequently rotate payloads, which allows a specific URL to lead to different malware or abused RMMs throughout a campaign. Though likely that some low volume testing was done in previous weeks based on similar file sizes and file naming, threat actors were confirmed distributing TrustConnect on 27 January, correlating with the date the seller began digitally code signing the software. Proofpoint has observed campaigns from multiple different threat actors distributing this malware.
For example, beginning on 26 January we observed a campaign purporting to be invitations for bids and to an event. Messages were sent from compromised senders and email body copy included both English and French.
Figure 2. Bid invite lure distributing TrustConnect RAT.
Figure 3. French language lure distributing TrustConnect RAT.
Messages contained URLs leading to an executable file "MsTeams.exe". The MsTeams file Proofpoint retrieved on 30 January 2026 was signed with the original filename “MsTeams.dll” with the EV certification dated 29 January and belonging to “TrustConnect Software PTY LTD.”, meaning that the threat actor either used an unsigned executable or some other payload early in the campaign The executable dropped a file called "TrustConnectAgent.exe" which communicated with the TrustConnect RAT C2 server, and likely led to the installation of additional payloads.
Figure 4. Payload EV cert timeline.
Threat actors distributing TrustConnect have used a variety of lure themes including taxes, document shares, meeting invitations, events, and government themes. The MaaS provides templates for many different kinds of brand abuse, which we will describe in the next section.
Interestingly, researchers also observed campaigns delivering multiple different RMMs alongside TrustConnect. One campaign observed over a four-day period leveraged a single sender, with lures containing overlapping payload URLs, to deliver multiple executables in late January 2026.
Figure 5. Due diligence themed lure delivering LogMeIn RMM.
Proofpoint observed the following variations of the campaign:
31 January and 01 February: messages contained URLs leading to an executable file which, if executed, installed ScreenConnect.
03 February: observed messages contained URLs leading to an executable file which, if executed, installs LogMeIn Resolve.
03 February: observed messages contained URLs leading to an executable file "reference_letter_sign.exe". This dropped a file called "TrustConnectAgent.exe" leading to the installation of TrustConnect RAT.
Additionally, Proofpoint has observed TrustConnect campaigns leading to the follow-on deployment of a legitimate remote access tool, typically ScreenConnect. Proofpoint observed TrustConnect deploying ScreenConnect from at least nine distinct on‑premises (self‑hosted) ScreenConnect servers over a 10‑day period. All were older versions signed with expired or revoked certificates, suggesting the instances were illegitimately purchased previously or possibly pirated. Proofpoint also observed deployment of Level RMM via an abused account as well as hands‑on-keyboard activity. This activity occurred within minutes of TrustConnect installation, reinforcing the assessment that it is used by multiple threat actors. (We reported it to Level, and the account was disabled by the vendor.)
The use of legitimate remote enterprise tooling both alongside and as a follow-on malware suggest this RAT is very much embedded with the overall ecosystem of threat actors abusing these tools, and the MaaS provider is likely selling to the same customers abusing real RMM payloads and infrastructure in campaigns.
Malware capabilities and C2 panel
The platform provides a web-based C2 dashboard, automated payload generation with digital signatures, and a subscription-based access model which costs $300 per month paid via cryptocurrency. The centralized C2 server, trustconnectsoftware[.]com, manages multiple customers.
Figure 6. TrustConnect public sign-in page with link to free sign up.
After registering for a free account, which requires that the user enter their email, "company name", and create a password, they are then prompted to verify their account with an one-time password (OTP) provided in an email that is sent via integration with Zoho transactional email service.
Figure 7. OTP code for account verification at sign-up.
Figure 8. OTP entry.
Once the email has been verified, the visitor is redirected to a subscription page, that despite previously stating that a free trial was available, claims that the account is blocked and that payment is needed to continue using the service.
Figure 9. TrustConnect subscription dashboard.
The subscription dashboard states that the subscription costs U.S. $300/month, and that the payments can be made in the cryptocurrencies Bitcoin or USDT. It provides wallet addresses to pay in either of these currencies. After manual payment, the customer needs to paste the transaction hash (publicly available on the blockchain) and click a button to verify the transaction. The verification is performed automatically by the server, by verifying in the blockchain that the transaction has occurred to the wallet, and that the transaction hasn’t been registered in the panel previously. This suggests that the seller has a database of payments and who paid when. This, in combination with the requirement of an email address, makes the payment not as anonymous as customers thought.
Even though the server-side blockchain verification checks that the transaction has happened, it doesn’t check if the transaction happened before the service opened for registration.
Figure 10. Infected devices page (with mock devices).
The Device page of the C2 dashboard lets the attacker see the devices that have the RAT installed. It’s possible to execute pre-defined commands or run custom commands directly on the device, transfer files to the device, view system information and connect to the device via a remote desktop function. It’s also possible to organize the devices into different custom groups. This page as well as others have a scrolling text that states “Note: Download the EXE, then upload to your own hosting/domain. Send your hosted link to targets for best results - avoids browser flagging.”
The C2 dashboard provides a real-time audit of connected devices, with a timeline feature that shows the relevant actions taken by the MaaS, such as registration, deployment of the RAT, commands executed and so on.
Figure 11. TrustConnect audit dashboard.
Notably, there doesn’t seem to be any functionality to disable or clear the audit log, making it hard for the attacker to erase evidence of malicious activity.
Figure 12. RDP dashboard view.
The remote desktop management function includes features for full mouse and keyboard control, surveillance on the compromised host, UAC bypass, ability to hide operator activity from the victim, screen recording, and the ability to switch between victim displays. The screen is streamed via unauthenticated WebSocket.
TrustConnect generates “branded” installers that bundle legitimate icons and metadata with payload delivery. The brands used are commonly observed across the ecrime threat landscape and are frequently seen used as lures in other cybercriminal RMM campaigns. Lures include:
Corporate: Zoom, Microsoft Teams, Adobe Reader, Google Meet.
Government and Business: "Proposal", "Special Events", "Social Security Administrative"
As well as a generic installer just branded as “TrustConnect” likely designed to masquerade as a real RMM.
Figure 13. Advertised "branded" installers.
Each one of the installers can be downloaded from the C2 via an URL without being signed in, allowing direct download of the malicious installers. The EXE files are named in line with the impersonated brand:
ZoomWorkspace.exe
AdobeReader.exe
MsTeams.exe
Proposal.exe
GoogleMeet.exe
Ssa.exe
SpecialEvents.exe
Installer.exe
The downloaded file is around 35 MB, containing metadata from the impersonated brand as well as pre-configured with the attackers install token so it will join the corresponding “organization” in the C2 panel. The internal name of the file matches the EXE but uses the file extension .dll. This is likely an artifact of the application being compiled as a .NET Core single-file executable, which inherits the name of the source DLL it was built from. Each EXE is signed, and since each installer type contains the specific metadata of the impersonated brand, each customer will at minimum have access to files with eight different hashes. In addition to this, it’s possible to generate a new install token in the panel, which would generate new hashes.
Example EXE download URL:
<hxxps://trustconnectsoftware[.]com/downloads/brands/[organization_name]/MsTeams.exe>
The page also has instructions on how to run a one-liner PowerShell script to run a remote intermediate script that will install the RAT (possibly to be used in ClickFix attacks), as well as system requirements and deployment instructions.
Figure 14. Quick deploy commands.
Figure 15. Deployment guide and system requirements.
Customers also have access to a settings page, where they can enable two-factor authentication and set up Telegram bots to receive notifications when devices connect or disconnect, which means that the MaaS owner has stored ample information about the customers, from email and organization name to cryptocurrency wallet and Telegram tokens.
In addition to the customer-accessible pages above, there is also a hidden “admin-approvals” page that the user will be redirected to if logged in as a “SuperAdmin.”
Figure 16. JavaScript redirect for hidden “admin-approvals” page for SuperAdmin.
This page is an internal admin dashboard intended to be accessed by the MaaS owner or support.
Figure 17. Admin Dashboard (with mock data).
In addition to managing customers, like adding days to the subscription or deleting them, the administrator can also list all online devices that the RAT is installed on, independent of which customer installed it. Notably, at this page the creator clearly labels these devices as “Victims”.
The platform links the operator's identity to the payload through a specific chain:
Operator Email: [Registered email in clear text] (Login credential)
Organization ID: [Internal UUID]
Organization Name: [organization name] (User-defined display name on sign up)
Download Path: .../brands/organization_name/... (Derived from Organization Name, used for EXE generation)
Installer Token: [token] (Unique key embedded in the EXE/Script to map victims back to the Org ID, can be expired and rotated by the customer in the panel)
Additional malware details
The malware communicates with the C2 on the same API as the web panel and doesn’t use any additional encryption other than standard SSL/TLS. Below are some examples of traffic:
POST /api/agents/register
Figure 18. TrustConnect check-in.
GET /api/agent-commands/
Figure 19. TrustConnect receiving PowerShell command to install ScreenConnect.
The following is a partial API endpoint map documenting methods and functions of the malware:
Category
Endpoint
Method
Function
Auth
/api/auth/login
POST
JWT Authentication
/api/auth/verify-login
POST
2FA Verification
C2
/api/devices
GET
List victims
/api/commands/run
POST
Execute shell command
/api/files/upload
POST
Upload file to victim
Viewer
/ws/viewer
WS
Remote Desktop Stream
/api/screen/start
POST
Initialize session
/api/recordings/chunk/{id}
POST
Upload screen recording
Malware
/api/agents/register
POST
Agent registration
/api/installer/script
GET
Get PowerShell loader
/api/agents/heartbeat
POST
Agent Heartbeat
/agent-update
GET
Agent Update
/api/files/browse/pull
GET
Agent file browse
/api/files/pull
GET
Agent file download
/api/agent-commands/
GET
Agent command retrieval
/ws/screen
GET
WebSocket Upgrade (RDP)
/api/agent-commands/result
POST
Agent command result
Admin
/api/admin/devices/online
GET
Super-Admin Global victim list
/api/admin/control-mode/check/{id}
GET
The malware C2 was hosted on 178[.]128[.]69[.]245. Proofpoint initiated coordinated remediation of the service, which concluded at ~00:00 UTC on 17 February 2026 and impacted the actor’s infrastructure. Supporting industry partners wish to stay anonymous.
Shortly before publication of this report, Proofpoint analysts identified a pivot to parallel infrastructure and testing of a new agent payload, called "DocConnect" or "SHIELD OS v1.0". Preliminary analysis reveals the new C2 panel is a React Single Page Application (SPA) backed by Supabase. Despite the architectural shift, the platform shares the distinct "vibe-coded" style observed in the TrustConnect website.
Initial analysis of the new agent shows the integration of SignalR instead of raw WebSockets, as well as giving users of the reworked MaaS the ability to include custom PDF lures in the installer itself. The new default name the installer is "DocConnect.Agent.exe".
Attribution
The malware panel includes a Telegram handle (@zacchyy09) for support and sales inquiries.
Figure 20. Support Telegram handle.
In addition, on 6 February 2026 (the same date the EV certificate was revoked), the open registration was closed and replaced with instructions to contact the same Telegram handle to get access to the MaaS:
Figure 21. Sign up instruction on February 6.
Notably, this handle was also mentioned as a VIP customer in Operation Magnus, a joint law enforcement effort led by the Dutch National Police to disrupt Redline and META information stealers in October 2024. It is possible a different threat actor is using the same handle. However, based on campaign artifacts, infrastructure, and malware delivery, Proofpoint assesses with moderate confidence, the TrustConnect actor was also likely a Redline customer.
Figure 22. Screenshot of some VIP users from Operation Magnus disruption video.
Conclusion
The emergence of TrustConnect MaaS demonstrates a few major themes:
Disruptions to MaaS operations like Redline, Lumma Stealer, and Rhadamanthys, have created new opportunities for malware creators to fill gaps in the cybercrime market. While these disruptions are effective and impose cost on adversaries, emerging malware shows threat actors will always be looking for new ways to compromise victims.
The RMM abuse ecosystem is thriving. Although TrustConnect only masqueraded as a legitimate RMM, the lures, attack chains, and follow-on payloads (which include RMMs) show overlap with techniques and delivery methods that are frequently observed in RMM campaigns and used by multiple threat actors.
Based on website artifacts and functionality, both TrustConnect and DocConnect websites and agents are likely coded with the assistance of AI Agents, but the new version is significantly more advanced. It shows how threat actors quickly can gain momentum by the help of AI, just like the rest of the society.
Proofpoint would like to thank our colleagues at ConnectWise ScreenConnect for collaborating on taking down abused instances.
Emerging Threats rules
2067351 - ET MALWARE TrustConnect RAT CnC Domain in DNS Lookup (trustconnectsoftware .com)
2067352 - ET MALWARE Observed TrustConnect RAT Domain (trustconnectsoftware .com in TLS SNI)
2067682 - ET MALWARE TrustConnect RAT CnC Activity (Files Browse)
2067683 - ET MALWARE TrustConnect RAT CnC Activity (GET Agent Commands)
2067684 - ET MALWARE TrustConnect RAT CnC Activity (POST Command Results)
2067685 - ET MALWARE TrustConnect RAT CnC Activity (Agent Heartbeat)
2067686 - ET MALWARE TrustConnect RAT CnC Activity (Heartbeat Response)
2067687 - ET MALWARE TrustConnect RAT CnC Activity (WebSocket Upgrade Request)
2067688 - ET MALWARE TrustConnect RAT CnC Activity (Agent Register)
2067689 - ET MALWARE TrustConnect RAT CnC Activity (Agent Update)
2067690 - ET MALWARE TrustConnect RAT CnC Activity (Files Pull)
2067801 - ET MALWARE TrustConnect RAT CnC Domain in DNS Lookup (networkservice .cyou)
2067802 - ET MALWARE Observed TrustConnect RAT Domain (networkservice .cyou in TLS SNI)
2067803 - ET MALWARE TrustConnect RAT CnC Activity (Agent Registration)
2067804 - ET MALWARE TrustConnect RAT CnC Activity (Failed Registration)
2067805 - ET MALWARE TrustConnect RAT CnC Activity (Files Pending)
2067806 - ET MALWARE TrustConnect RAT CnC Activity (GET Commands)
Example indicators of compromise
Indicator
Description
First Seen
trustconnectsoftware[.]com
C2 Domain
12 January 2026
178[.]128[.]69[.]245
C2 IP
12 January 2026
adobe[.]caladzy[.]com
Payload Staging Domain
31 January 2026
ametax[.]net
Payload Staging Domain
31 January 2026
worldwide-www19[.]pages[.]dev
Payload Staging Domain
31 January 2026
vurul[.]click
Payload Staging Domain
31 January 2026
cee6895f7df01da489c10bf5b83770ceede79ed4e1c8c4f8ea9787a4d035c79b
TrustConnectAgent.exe
SHA256
2 February 2026
statementstview[.]online
Payload Staging Domain
10 February 2026
elev8souvenirs[.]com
Payload Staging Domain
26 January
cf85a4816715b8fa6c1eb5b50d1c70cfef116522742f6f1c77cb8689166b9f40
MsTeams.exe
SHA256
26 January
162c0d3e671ddf4f7f3ae5681da5272111eab6588bc53843cc604fc386634594
DocConnect Testing Payload
17 February 2026
networkservice[.]cyou
DocConnect C2
17 February 2026
hxxps[://]memphiswawu[.]com/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest
ScreenConnect Payload URL
10 February 2026
hxxps[://]aerobickarlaurbanovas[.]top/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest=
ScreenConnect Payload URL
10 February 2026
hxxps[://]stewise[.]top/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest
ScreenConnect Payload URL
10 February 2026
hxxps[://]smallmartdirectintense[.]com/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest=
ScreenConnect Payload URL
10 February 2026
hxxp[://]192[.]159[.]99[.]83/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest
ScreenConnect Payload URL
10 February 2026
hxxp[://]192[.]227[.]211[.]41:8040/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest
ScreenConnect Payload URL
10 February 2026
Vrijwel alle in Europa verkrijgbare koptelefoons en in-earoortjes bevatten volgens onderzoekers schadelijke stoffen die via de huid het lichaam kunnen binnendringen. Deze stoffen kunnen kankerverwekkend zijn, of hormonale of neurologische problemen veroorzaken.
Tenga confirmed reports published by several outlets that the company notified customers of a data breach.
The Japanese manufacturer of adult products appears to have fallen victim to a phishing attack targeting one of its employees. Tenga reportedly wrote in the data breach notification:
“An unauthorized party gained access to the professional email account of one of our employees.”
This unauthorized access exposed the contents of said account’s inbox, potentially including customer names, email addresses, past correspondence, order details, and customer service inquiries.
In its official statement, Tenga said a “limited segment” of US customers who interacted with the company were impacted by the incident. Regarding the scope of the stolen data, it stated:
“The information involved was limited to customer email addresses and related correspondence history. No sensitive personal data, such as Social Security numbers, billing/credit card information, or TENGA/iroha Store passwords were jeopardized in this incident.”
From the wording of Tenga’s online statement, it seems the compromised account was used to send spam emails that included an attachment.
“Attachment Safety: We want to state clearly that there is no risk to your device or data if the suspicious attachment was not opened. The risk was limited to the potential execution of the attachment within the specific ‘spam’ window (February 12, 2026, between 12am and 1am PT).”
We reached out to Tenga about this “suspicious attachment” but have not heard back at the time of writing. We’ll keep you posted.
Tenga proactively contacted potentially affected customers. It advises them to change passwords and remain vigilant about any unusual activity. We would add that affected customers should be on the lookout for sextortion-themed phishing attempts.
What to do if your data was in a breach
If you think you have been affected by a data breach, here are steps you can take to protect yourself:
Check the company’s advice. Every breach is different, so check with the company to find out what’s happened and follow any specific advice it offers.
Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
Watch out for impersonators. The thieves may contact you posing as the breached platform. Check the official website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but it increases risk if a retailer suffers a breach.
Tenga confirmed reports published by several outlets that the company notified customers of a data breach.
The Japanese manufacturer of adult products appears to have fallen victim to a phishing attack targeting one of its employees. Tenga reportedly wrote in the data breach notification:
“An unauthorized party gained access to the professional email account of one of our employees.”
This unauthorized access exposed the contents of said account’s inbox, potentially including customer names, email addresses, past correspondence, order details, and customer service inquiries.
In its official statement, Tenga said a “limited segment” of US customers who interacted with the company were impacted by the incident. Regarding the scope of the stolen data, it stated:
“The information involved was limited to customer email addresses and related correspondence history. No sensitive personal data, such as Social Security numbers, billing/credit card information, or TENGA/iroha Store passwords were jeopardized in this incident.”
From the wording of Tenga’s online statement, it seems the compromised account was used to send spam emails that included an attachment.
“Attachment Safety: We want to state clearly that there is no risk to your device or data if the suspicious attachment was not opened. The risk was limited to the potential execution of the attachment within the specific ‘spam’ window (February 12, 2026, between 12am and 1am PT).”
We reached out to Tenga about this “suspicious attachment” but have not heard back at the time of writing. We’ll keep you posted.
Tenga proactively contacted potentially affected customers. It advises them to change passwords and remain vigilant about any unusual activity. We would add that affected customers should be on the lookout for sextortion-themed phishing attempts.
What to do if your data was in a breach
If you think you have been affected by a data breach, here are steps you can take to protect yourself:
Check the company’s advice. Every breach is different, so check with the company to find out what’s happened and follow any specific advice it offers.
Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
Watch out for impersonators. The thieves may contact you posing as the breached platform. Check the official website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but it increases risk if a retailer suffers a breach.
NZXT heeft een mini-ITX-behuizing uitgebracht die meshpanelen aan alle zijden heeft, inclusief de bovenkant. Dat moet de luchttoevoer vergroten. De 20,7L-kast wordt geleverd met twee fans.
The UK is bracketing "intimate images shared without a victim's consent" along with terror and child sexual abuse material, and demanding that online platforms remove them within two days.…
African authorities arrested 651 suspects and recovered over $4.3 million in a joint operation targeting investment fraud, mobile money scams, and fake loan applications. [...]
Tech bros have been wanting to become immortal for years. Until they get there, their fallback might be continuing to post nonsense on social media from the afterlife.
On December 30, 2025, Meta was granted US patent 12513102B2: Simulation of a user of a social networking system using a language model. It describes a system that trains an AI on a user’s posts, comments, chats, voice messages, and likes, then deploys a bot to respond to newsfeeds, DMs, and even simulated audio or video calls.
Filed in November 2023 by Meta CTO Andrew Bosworth, it sounds innocuous enough. Perhaps some people would use it to post their political hot takes while they’re asleep.
Dig deeper, though, and the patent veers from absurd to creepy. It’s designed to be used not just from beyond the pillow but beyond the grave.
From the patent:
“The language model may be used for simulating the user when the user is absent from the social networking system, for example, when the user takes a long break or if the user is deceased.”
A Meta spokesperson told Business Insider that the company has no plans to act on the patent. And tech companies have a habit of laying claim to bizarre ideas that never materialize. But Facebook’s user numbers have stalled, and it presumably needs all the engagement it can get. We already know that the company loves the idea of AI ‘users’, having reportedly piloted them in late 2024, much to human users’ annoyance.
If the company ever did decide to pull the trigger on this technology, it would be a departure from its own memorialization policy, which preserves accounts without changes. One reason the company might not be willing to step over the line is that the world simply isn’t ready for AI conversations with the dead. Other companies have considered and even tested similar systems. Microsoft patented a chatbot that would allow you to talk to AI versions of deceased individuals in 2020; its own AI general manager called it disturbing, and it never went into production. Amazon demonstrated Alexa mimicking a dead grandmother’s voice from under a minute of audio in 2022, framing it as preserving memories. That never launched either.
Some projects that did ship left people wishing they hadn’t. Startup 2Wai’s avatar app originally offered the chance to preserve loved ones as AI avatars. Users called it “nightmare fuel” and “demonic”. The company seems to have pivoted to safer ground like social avatars and personal AI coaches now.
The legal minefield
The other thing holding Meta back could be the legal questions. Unsurprisingly for such a new idea, there isn’t a uniform US framework on the use of AI to represent the dead. Several states recognize post-mortem right of publicity, although states like New York limit that to people whose voices and images have commercial value (typically meaning celebrities). California’s AB 1836 specifically targets AI-generated impersonations of the deceased, though.
Meta would also need to tiptoe carefully around the law in Europe. The company had to pause AI training on European users in 2024 under regulatory pressure, but then launched it anyway in March last year. Then it refused to sign the EU’s GPAI Code of Practice last July (the only major AI firm to do so). Meta’s relationship with EU regulators is strained at best.
Europe’s General Data Protection Regulation (GDPR) excludes deceased persons’ data, but Article 85 of the French Data Protection law lets anyone leave instructions about the retention, deletion and communication of their personal data after death. The EU AI Act’s Article 50 (fully applicable this August) will also require AI systems to disclose they are AI, with penalties up to €15 million or 3% of worldwide turnover for companies that don’t comply.
Hopefully Meta really will file this in the “just because we can do it doesn’t mean we should” drawer, and leave erstwhile social media sharers to rest in peace.
We don’t just report on threats – we help protect your social media
Tech bros have been wanting to become immortal for years. Until they get there, their fallback might be continuing to post nonsense on social media from the afterlife.
On December 30, 2025, Meta was granted US patent 12513102B2: Simulation of a user of a social networking system using a language model. It describes a system that trains an AI on a user’s posts, comments, chats, voice messages, and likes, then deploys a bot to respond to newsfeeds, DMs, and even simulated audio or video calls.
Filed in November 2023 by Meta CTO Andrew Bosworth, it sounds innocuous enough. Perhaps some people would use it to post their political hot takes while they’re asleep.
Dig deeper, though, and the patent veers from absurd to creepy. It’s designed to be used not just from beyond the pillow but beyond the grave.
From the patent:
“The language model may be used for simulating the user when the user is absent from the social networking system, for example, when the user takes a long break or if the user is deceased.”
A Meta spokesperson told Business Insider that the company has no plans to act on the patent. And tech companies have a habit of laying claim to bizarre ideas that never materialize. But Facebook’s user numbers have stalled, and it presumably needs all the engagement it can get. We already know that the company loves the idea of AI ‘users’, having reportedly piloted them in late 2024, much to human users’ annoyance.
If the company ever did decide to pull the trigger on this technology, it would be a departure from its own memorialization policy, which preserves accounts without changes. One reason the company might not be willing to step over the line is that the world simply isn’t ready for AI conversations with the dead. Other companies have considered and even tested similar systems. Microsoft patented a chatbot that would allow you to talk to AI versions of deceased individuals in 2020; its own AI general manager called it disturbing, and it never went into production. Amazon demonstrated Alexa mimicking a dead grandmother’s voice from under a minute of audio in 2022, framing it as preserving memories. That never launched either.
Some projects that did ship left people wishing they hadn’t. Startup 2Wai’s avatar app originally offered the chance to preserve loved ones as AI avatars. Users called it “nightmare fuel” and “demonic”. The company seems to have pivoted to safer ground like social avatars and personal AI coaches now.
The legal minefield
The other thing holding Meta back could be the legal questions. Unsurprisingly for such a new idea, there isn’t a uniform US framework on the use of AI to represent the dead. Several states recognize post-mortem right of publicity, although states like New York limit that to people whose voices and images have commercial value (typically meaning celebrities). California’s AB 1836 specifically targets AI-generated impersonations of the deceased, though.
Meta would also need to tiptoe carefully around the law in Europe. The company had to pause AI training on European users in 2024 under regulatory pressure, but then launched it anyway in March last year. Then it refused to sign the EU’s GPAI Code of Practice last July (the only major AI firm to do so). Meta’s relationship with EU regulators is strained at best.
Europe’s General Data Protection Regulation (GDPR) excludes deceased persons’ data, but Article 85 of the French Data Protection law lets anyone leave instructions about the retention, deletion and communication of their personal data after death. The EU AI Act’s Article 50 (fully applicable this August) will also require AI systems to disclose they are AI, with penalties up to €15 million or 3% of worldwide turnover for companies that don’t comply.
Hopefully Meta really will file this in the “just because we can do it doesn’t mean we should” drawer, and leave erstwhile social media sharers to rest in peace.
We don’t just report on threats – we help protect your social media
Bork!Bork!Bork! Today's bork is entirely human-generated and will send a shiver down the spine of security pros. No matter how secure a system is, a user's ability to undo an administrator's best efforts should not be underestimated.…
In October 2025, we discovered a series of forum posts advertising a previously unknown stealer, dubbed “Arkanix Stealer” by its authors. It operated under a MaaS (malware-as-a-service) model, providing users not only with the implant but also with access to a control panel featuring configurable payloads and statistics. The set of implants included a publicly available browser post-exploitation tool known as ChromElevator, which was delivered by a native C++ version of the stealer. This version featured a wide range of capabilities, from collecting system information to stealing cryptocurrency wallet data. Alongside that, we have also discovered Python implementation of the stealer capable of dynamically modifying its configuration. The Python version was often packed, thus giving the adversary multiple methods for distributing their malware. It is also worth noting that Arkanix was rather a one-shot malicious campaign: at the time of writing this article, the affiliate program appears to be already taken down.
Kaspersky products detect this threat as Trojan-PSW.Win64.Coins.*, HEUR:Trojan-PSW.Multi.Disco.gen, Trojan.Python.Agent.*.
Technical details
Background
In October 2025, a series of posts was discovered on various dark web forums, advertising a stealer referred to by its author as “Arkanix Stealer”. These posts detail the features of the stealer and include a link to a Discord server, which serves as the primary communication channel between the author and the users of the stealer.
Example of an Arkanix Stealer advertisement
Upon further research utilizing public resources, we identified a set of implants associated with this stealer.
Initial infection or spreading
The initial infection vector remains unknown. However, based on some of the file names (such as steam_account_checker_pro_v1.py, discord_nitro_checker.py, and TikTokAccountBotter.exe) of the loader scripts we obtained, it can be concluded with high confidence that the initial infection vector involved phishing.
Python loader
MD5
208fa7e01f72a50334f3d7607f6b82bf
File name
discord_nitro_code_validator_right_aligned.py
The Python loader is the script responsible for downloading and executing the Python-based version of the Arkanix infostealer. We have observed both plaintext Python scripts and those bundled using PyInstaller or Nuitka, all of which share a common execution vector and are slightly obfuscated. These scripts often serve as decoys, initially appearing to contain legitimate code. Some of them do have useful functionality, and others do nothing apart from loading the stealer. Additionally, we have encountered samples that employ no obfuscation at all, in which the infostealer is launched in a separate thread via Python’s built-in threading module.
Variants of Python loaders executing the next stage
Upon execution, the loader first installs the required packages — namely, requests, pycryptodome, and psutil — via the pip package manager, utilizing the subprocess module. On Microsoft Windows systems, the loader also installs pywin32. In some of the analyzed samples, this process is carried out twice. Since the loader does not perform any output validation of the module installation command, it proceeds to make a POST request to hxxps://arkanix[.]pw/api/session/create to register the current compromised machine on the panel with a predefined set of parameters even if the installation failed. After that, the stealer makes a GET request to hxxps://arkanix[.]pw/stealer.py and executes the downloaded payload.
Python stealer version
MD5
af8fd03c1ec81811acf16d4182f3b5e1
File name
–
During our research, we obtained a sample of the Python implementation of the Arkanix stealer, which was downloaded from the endpoint hxxps://arkanix[.]pw/stealer.py by the previous stage.
The stealer’s capabilities — or features, as referred to by the author — in this version are configurable, with the default configuration predefined within the script file. To dynamically update the feature list, the stealer makes a GET request to hxxps://arkanix[.]pw/api/features/{payload_id}, indicating that these capabilities can be modified on the panel side. The feature list is identical to the one that was described in the GDATA report.
Configurable options
Prior to executing the information retrieval-related functions, the stealer makes a request to hxxps://arkanix[.]pw/upload_dropper.py, saves the response to %TEMP%\upd_{random 8-byte name}.py, and executes it. We do not have access to the contents of this script, which is referred to as the “dropper” by the attackers.
During its main information retrieval routine, at the end of each processing stage, the collected information is serialized into JSON format and saved to a predefined path, such as %LOCALAPPDATA\Arkanix_lol\%info_class%.json.
In the following, we will provide a more detailed description of the Python version’s data collection features.
System info collection
Arkanix Stealer is capable of collecting a set of info about the compromised system. This info includes:
OS version
CPU and GPU info
RAM size
Screen resolution
Keyboard layout
Time zone
Installed software
Antivirus software
VPN
Information collection is performed using standard shell commands with the exception of the VPN check. The latter is implemented by querying the endpoint hxxps://ipapi[.]co/json/ and verifying whether the associated IP address belongs to a known set of VPNs, proxies, or Tor exit nodes.
Browser features
This stealer is capable of extracting various types of data from supported browsers (22 in total, ranging from the widely popular Google Chrome to the Tor Browser). The list of supported browsers is hardcoded, and unlike other parameters, it cannot be modified during execution. In addition to a separate Chrome grabber module (which we’ll discuss later), the stealer itself supports the extraction of diverse information, such as:
Browser history (URLs, visit count and last visit)
Autofill information (email, phone, addresses and payment cards details)
Saved passwords
Cookies
In case of Chromium-based browsers, 0Auth2 data is also extracted
All information is decrypted using either the Windows DPAPI or AES, where applicable, and searched for relevant keywords. In the case of browser information collection, the stealer searches exclusively for keywords related to banking (e.g., “revolut”, “stripe”, “bank”) and cryptocurrencies (e.g., “binance”, “metamask”, “wallet”). In addition to this, the stealer is capable of extracting extension data from a hardcoded list of extensions associated with cryptocurrencies.
Part of the extension list which the stealer utilizes to extract data from
Telegram info collection
Telegram data collection begins with terminating the Telegram.exe process using the taskkill command. Subsequently, if the telegram_optimized feature is set to False, the malware zips the entire tdata directory (typically located at %APPDATA%\Roaming\Telegram Desktop\tdata) and transmits it to the attacker. Otherwise, it selectively copies and zips only the subdirectories containing valuable info, such as message log. The generated archive is sent to the endpoint /delivery with the filename tdata_session.zip.
Discord capabilities
The stealer includes two features connected with Discord: credentials stealing and self-spreading. The first one can be utilized to acquire credentials both from the standard client and custom clients. If the client is Chromium-based, the stealer employs the same data exfiltration mechanism as during browser credentials stealing.
The self-spreading feature is configurable (meaning it can be disabled in the config). The stealer acquires the list of user’s friends and channels via the Discord API and sends a message provided by the attacker. This stealer does not support attaching files to such messages.
VPN data collection
The VPN collector is searching for a set of known VPN software to extract account credentials from the credentials file with a known path that gets parsed with a regular expression. The extraction occurs from the following set of applications:
Mullvad VPN
NordVPN
ExpressVPN
ProtonVPN
File retrieval
File retrieval is performed regardless of the configuration. The script relies on a predefined set of paths associated with the current user (such as Desktop, Download, etc.) and file extensions mainly connected with documents and media. The script also has a predefined list of filenames to exfiltrate. The extracted files are packed into a ZIP archive which is later sent to the C2 asynchronously. An interesting aspect is that the filename list includes several French words, such as “motdepasse” (French for “password”), “banque” (French for “bank”), “secret” (French for “secret”), and “compte” (French for “account”).
Other payloads
We were able to identify additional modules that are downloaded from the C2 rather than embedded into the stealer script; however, we weren’t able to obtain them. These modules can be described by the following table, with the “Details” column referring to the information that could be extracted from the main stealer code.
Module name
Endpoint to download
Details
Chrome grabber
/api/chrome-grabber-template/{payload_id}
–
Wallet patcher
/api/wallet-patcher/{payload_id}
Checks whether “Exodus” and “Atomic” cryptocurrency wallets are installed
Extra collector
/api/extra-collector/{payload_id}
Uses a set of options from the config, such as collect_filezilla, collect_vpn_data, collect_steam, and collect_screenshots
HVNC
/hvnc
Is saved to the Startup directory (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\hvnc.py) to execute upon system boot
The Wallet patcher and Extra collector scripts are received in an encrypted form from the C2 server. To decrypt them, the attackers utilize the AES-GCM algorithm in conjunction with PBKDF2 (HMAC and SHA256). After decryption, the additional payload has its template placeholders replaced and is stored under a partially randomized name within a temporary folder.
Decryption routine and template substitution
Once all operations are completed, the stealer removes itself from the drive, along with the artifacts folder (Arkanix_lol in this case).
Native version of stealer
MD5
a3fc46332dcd0a95e336f6927bae8bb7
File name
ArkanixStealer.exe
During our analysis, we were able to obtain both the release and debug versions of the native implementation, as both were uploaded to publicly available resources. The following are the key differences between the two:
The release version employs VMProtect, but does not utilize code virtualization.
The debug version communicates with a Discord bot for command and control (C2), whereas the release version uses the previously mentioned C2 domain arkanix[.]pw.
The debug version includes extensive logging, presumably for the authors’ debugging purposes.
Notably, the native implementation explicitly references the name of the stealer in the VersionInfo resources. This naming convention is consistent across both the debug version and certain samples containing the release version of the implant.
Version info
After launching, the stealer implements a series of analysis countermeasures to verify that the application is not being executed within a sandboxed environment or run under a debugger. Following these checks, the sample patches AmsiScanBuffer and EtwEventWrite to prevent the triggering of any unwanted events by the system.
Once the preliminary checks are completed, the sample proceeds to gather information about the system. The list of capabilities is hardcoded and cannot be modified from the server side, in contrast to the Python version. What is more, the feature list is quite similar to the Python version except a few ones.
RDP connections
The stealer is capable of collecting information about known RDP connections that the compromised user has. To achieve this, it searches for .rdp files in %USERPROFILE%\Documents and extracts the full server address, password, username and server port.
Gaming files
The stealer also targets gamers and is capable to steal credentials from the popular gaming platform clients, including:
Steam
Epic Games Launcher
net
Riot
Origin
Unreal Engine
Ubisoft Connect
GOG
Screenshots
The native version, unlike its Python counterpart, is capable of capturing screenshots for each monitor via capCreateCaptureWindowA WinAPI.
In conclusion, this sample communicates with the C2 server through the same endpoints as the Python version. However, in this instance, all data is encrypted using the same AES-GCM + PBKDF2 (HMAC and SHA256) scheme as partially employed in the Python variant. In some observed samples, the key used was arkanix_secret_key_v20_2024. Alongside that, the C++ sample explicitly sets the User-Agent to ArkanixStealer/1.0.
Post-exploitation browser data extractor
MD5
3283f8c54a3ddf0bc0d4111cc1f950c0
File name
–
This is an implant embedded within the resources of the C++ implementation. The author incorporated it into the resource section without applying any obfuscation or encryption. Subsequently, the stealer extracts the payload to a temporary folder with a randomly generated name composed of hexadecimal digits (0-9 and A-F) and executes it using the CreateProcess WinAPI. The payload itself is the unaltered publicly available project known as “ChromElevator”. To summarize, this tool consists of two components: an injector and the main payload. The injector initializes a direct syscall engine, spawns a suspended target browser process, and injects the decrypted code into it via Nt syscalls. The injected payload then decrypts the browser master key and exfiltrates data such as cookies, login information, web data, and so on.
Infrastructure
During the Arkanix campaign, two domains used in the attacks were identified. Although these domains were routed through Cloudflare, a real IP address was successfully discovered for one of them, namely, arkanix[.]pw. For the second one we only obtained a Cloudflare IP address.
Domain
IP
First seen
ASN
arkanix[.]pw
195.246.231[.]60
Oct 09, 2025
–
arkanix[.]ru
172.67.186[.]193
Oct 19, 2025
–
Both servers were also utilized to host the stealer panel, which allows attackers to monitor their victims. The contents of the panel are secured behind a sign-in page. Closer to the end of our research, the panel was seemingly taken down with no message or notice.
Stealer panel sign-in page
Stealer promotion
During the research of this campaign, we noticed that the forum posts advertising the stealer contained a link leading to a Discord server dubbed “Arkanix” by the authors. The server posed as a forum where authors posted various content and clients could ask various questions regarding this malicious software. While users mainly thank and ask about when the feature promised by the authors will be released and added into the stealer, the content made by the authors is broader. The adversary builds up the communication with potential buyers using the same marketing and communication methods real companies employ. To begin with, they warm up the audience by posting surveys about whether they should implement specific features, such as Discord injection and binding with a legitimate application (sic!).
Feature votes
Additionally, the author promised to release a crypter as a side project in four to six weeks, at the end of October. As of now, the stealer seems to have been taken down without any notice while the crypter was never released.
Arkanix Crypter
Furthermore, the Arkanix Stealer authors decided to implement a referral program to attract new customers. Referrers were promised an additional free hour to their premium license, while invited customers received seven days of free “premium” trial use. As stated in forum posts, the premium plan included the following features:
C++ native stealer
Exodus and Atomic cryptocurrency wallets injection
Increased payload generation, up to 10 payloads
Priority support
Referral program ad and corresponding panel interface
Speaking of technical details, based on the screenshot of the Visual Studio stealer project that was sent to the Discord server, we can conclude that the author is German-speaking.
This same screenshot also serves as a probable indicator of AI-assisted development as it shares the common patterns of such assistants, e.g. the presence of the utils.cpp file. What provides even more confidence is the overall code structure, the presence of comments and extensive debugging log output.
Example of LLM-specific patterns
Conclusions
Information stealers have always posed as a serious threat to users’ data. Arkanix is no exception as it targets a wide range of users, from those interested in cryptocurrencies and gaming to those using online banking. It collects a vast amount of information including highly sensitive personal data. While being quite functional, it contains probable traces of LLM-assisted development which suggests that such assistance might have drastically reduced development time and costs. Hence it follows that this campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection. The panel and the Discord chat were taken down around December 2025, leaving no message or traces of further development or a resurgence.
In addition, the developers behind the Arkanix Stealer decided to address the public, implementing a forum where they posted development insights, conducted surveys and even ran a referral program where you could get bonuses for “bringing a friend”. This behavior makes Arkanix more of a public software product than a shady stealer.
In October 2025, we discovered a series of forum posts advertising a previously unknown stealer, dubbed “Arkanix Stealer” by its authors. It operated under a MaaS (malware-as-a-service) model, providing users not only with the implant but also with access to a control panel featuring configurable payloads and statistics. The set of implants included a publicly available browser post-exploitation tool known as ChromElevator, which was delivered by a native C++ version of the stealer. This version featured a wide range of capabilities, from collecting system information to stealing cryptocurrency wallet data. Alongside that, we have also discovered Python implementation of the stealer capable of dynamically modifying its configuration. The Python version was often packed, thus giving the adversary multiple methods for distributing their malware. It is also worth noting that Arkanix was rather a one-shot malicious campaign: at the time of writing this article, the affiliate program appears to be already taken down.
Kaspersky products detect this threat as Trojan-PSW.Win64.Coins.*, HEUR:Trojan-PSW.Multi.Disco.gen, Trojan.Python.Agent.*.
Technical details
Background
In October 2025, a series of posts was discovered on various dark web forums, advertising a stealer referred to by its author as “Arkanix Stealer”. These posts detail the features of the stealer and include a link to a Discord server, which serves as the primary communication channel between the author and the users of the stealer.
Example of an Arkanix Stealer advertisement
Upon further research utilizing public resources, we identified a set of implants associated with this stealer.
Initial infection or spreading
The initial infection vector remains unknown. However, based on some of the file names (such as steam_account_checker_pro_v1.py, discord_nitro_checker.py, and TikTokAccountBotter.exe) of the loader scripts we obtained, it can be concluded with high confidence that the initial infection vector involved phishing.
Python loader
MD5
208fa7e01f72a50334f3d7607f6b82bf
File name
discord_nitro_code_validator_right_aligned.py
The Python loader is the script responsible for downloading and executing the Python-based version of the Arkanix infostealer. We have observed both plaintext Python scripts and those bundled using PyInstaller or Nuitka, all of which share a common execution vector and are slightly obfuscated. These scripts often serve as decoys, initially appearing to contain legitimate code. Some of them do have useful functionality, and others do nothing apart from loading the stealer. Additionally, we have encountered samples that employ no obfuscation at all, in which the infostealer is launched in a separate thread via Python’s built-in threading module.
Variants of Python loaders executing the next stage
Upon execution, the loader first installs the required packages — namely, requests, pycryptodome, and psutil — via the pip package manager, utilizing the subprocess module. On Microsoft Windows systems, the loader also installs pywin32. In some of the analyzed samples, this process is carried out twice. Since the loader does not perform any output validation of the module installation command, it proceeds to make a POST request to hxxps://arkanix[.]pw/api/session/create to register the current compromised machine on the panel with a predefined set of parameters even if the installation failed. After that, the stealer makes a GET request to hxxps://arkanix[.]pw/stealer.py and executes the downloaded payload.
Python stealer version
MD5
af8fd03c1ec81811acf16d4182f3b5e1
File name
–
During our research, we obtained a sample of the Python implementation of the Arkanix stealer, which was downloaded from the endpoint hxxps://arkanix[.]pw/stealer.py by the previous stage.
The stealer’s capabilities — or features, as referred to by the author — in this version are configurable, with the default configuration predefined within the script file. To dynamically update the feature list, the stealer makes a GET request to hxxps://arkanix[.]pw/api/features/{payload_id}, indicating that these capabilities can be modified on the panel side. The feature list is identical to the one that was described in the GDATA report.
Configurable options
Prior to executing the information retrieval-related functions, the stealer makes a request to hxxps://arkanix[.]pw/upload_dropper.py, saves the response to %TEMP%\upd_{random 8-byte name}.py, and executes it. We do not have access to the contents of this script, which is referred to as the “dropper” by the attackers.
During its main information retrieval routine, at the end of each processing stage, the collected information is serialized into JSON format and saved to a predefined path, such as %LOCALAPPDATA\Arkanix_lol\%info_class%.json.
In the following, we will provide a more detailed description of the Python version’s data collection features.
System info collection
Arkanix Stealer is capable of collecting a set of info about the compromised system. This info includes:
OS version
CPU and GPU info
RAM size
Screen resolution
Keyboard layout
Time zone
Installed software
Antivirus software
VPN
Information collection is performed using standard shell commands with the exception of the VPN check. The latter is implemented by querying the endpoint hxxps://ipapi[.]co/json/ and verifying whether the associated IP address belongs to a known set of VPNs, proxies, or Tor exit nodes.
Browser features
This stealer is capable of extracting various types of data from supported browsers (22 in total, ranging from the widely popular Google Chrome to the Tor Browser). The list of supported browsers is hardcoded, and unlike other parameters, it cannot be modified during execution. In addition to a separate Chrome grabber module (which we’ll discuss later), the stealer itself supports the extraction of diverse information, such as:
Browser history (URLs, visit count and last visit)
Autofill information (email, phone, addresses and payment cards details)
Saved passwords
Cookies
In case of Chromium-based browsers, 0Auth2 data is also extracted
All information is decrypted using either the Windows DPAPI or AES, where applicable, and searched for relevant keywords. In the case of browser information collection, the stealer searches exclusively for keywords related to banking (e.g., “revolut”, “stripe”, “bank”) and cryptocurrencies (e.g., “binance”, “metamask”, “wallet”). In addition to this, the stealer is capable of extracting extension data from a hardcoded list of extensions associated with cryptocurrencies.
Part of the extension list which the stealer utilizes to extract data from
Telegram info collection
Telegram data collection begins with terminating the Telegram.exe process using the taskkill command. Subsequently, if the telegram_optimized feature is set to False, the malware zips the entire tdata directory (typically located at %APPDATA%\Roaming\Telegram Desktop\tdata) and transmits it to the attacker. Otherwise, it selectively copies and zips only the subdirectories containing valuable info, such as message log. The generated archive is sent to the endpoint /delivery with the filename tdata_session.zip.
Discord capabilities
The stealer includes two features connected with Discord: credentials stealing and self-spreading. The first one can be utilized to acquire credentials both from the standard client and custom clients. If the client is Chromium-based, the stealer employs the same data exfiltration mechanism as during browser credentials stealing.
The self-spreading feature is configurable (meaning it can be disabled in the config). The stealer acquires the list of user’s friends and channels via the Discord API and sends a message provided by the attacker. This stealer does not support attaching files to such messages.
VPN data collection
The VPN collector is searching for a set of known VPN software to extract account credentials from the credentials file with a known path that gets parsed with a regular expression. The extraction occurs from the following set of applications:
Mullvad VPN
NordVPN
ExpressVPN
ProtonVPN
File retrieval
File retrieval is performed regardless of the configuration. The script relies on a predefined set of paths associated with the current user (such as Desktop, Download, etc.) and file extensions mainly connected with documents and media. The script also has a predefined list of filenames to exfiltrate. The extracted files are packed into a ZIP archive which is later sent to the C2 asynchronously. An interesting aspect is that the filename list includes several French words, such as “motdepasse” (French for “password”), “banque” (French for “bank”), “secret” (French for “secret”), and “compte” (French for “account”).
Other payloads
We were able to identify additional modules that are downloaded from the C2 rather than embedded into the stealer script; however, we weren’t able to obtain them. These modules can be described by the following table, with the “Details” column referring to the information that could be extracted from the main stealer code.
Module name
Endpoint to download
Details
Chrome grabber
/api/chrome-grabber-template/{payload_id}
–
Wallet patcher
/api/wallet-patcher/{payload_id}
Checks whether “Exodus” and “Atomic” cryptocurrency wallets are installed
Extra collector
/api/extra-collector/{payload_id}
Uses a set of options from the config, such as collect_filezilla, collect_vpn_data, collect_steam, and collect_screenshots
HVNC
/hvnc
Is saved to the Startup directory (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\hvnc.py) to execute upon system boot
The Wallet patcher and Extra collector scripts are received in an encrypted form from the C2 server. To decrypt them, the attackers utilize the AES-GCM algorithm in conjunction with PBKDF2 (HMAC and SHA256). After decryption, the additional payload has its template placeholders replaced and is stored under a partially randomized name within a temporary folder.
Decryption routine and template substitution
Once all operations are completed, the stealer removes itself from the drive, along with the artifacts folder (Arkanix_lol in this case).
Native version of stealer
MD5
a3fc46332dcd0a95e336f6927bae8bb7
File name
ArkanixStealer.exe
During our analysis, we were able to obtain both the release and debug versions of the native implementation, as both were uploaded to publicly available resources. The following are the key differences between the two:
The release version employs VMProtect, but does not utilize code virtualization.
The debug version communicates with a Discord bot for command and control (C2), whereas the release version uses the previously mentioned C2 domain arkanix[.]pw.
The debug version includes extensive logging, presumably for the authors’ debugging purposes.
Notably, the native implementation explicitly references the name of the stealer in the VersionInfo resources. This naming convention is consistent across both the debug version and certain samples containing the release version of the implant.
Version info
After launching, the stealer implements a series of analysis countermeasures to verify that the application is not being executed within a sandboxed environment or run under a debugger. Following these checks, the sample patches AmsiScanBuffer and EtwEventWrite to prevent the triggering of any unwanted events by the system.
Once the preliminary checks are completed, the sample proceeds to gather information about the system. The list of capabilities is hardcoded and cannot be modified from the server side, in contrast to the Python version. What is more, the feature list is quite similar to the Python version except a few ones.
RDP connections
The stealer is capable of collecting information about known RDP connections that the compromised user has. To achieve this, it searches for .rdp files in %USERPROFILE%\Documents and extracts the full server address, password, username and server port.
Gaming files
The stealer also targets gamers and is capable to steal credentials from the popular gaming platform clients, including:
Steam
Epic Games Launcher
net
Riot
Origin
Unreal Engine
Ubisoft Connect
GOG
Screenshots
The native version, unlike its Python counterpart, is capable of capturing screenshots for each monitor via capCreateCaptureWindowA WinAPI.
In conclusion, this sample communicates with the C2 server through the same endpoints as the Python version. However, in this instance, all data is encrypted using the same AES-GCM + PBKDF2 (HMAC and SHA256) scheme as partially employed in the Python variant. In some observed samples, the key used was arkanix_secret_key_v20_2024. Alongside that, the C++ sample explicitly sets the User-Agent to ArkanixStealer/1.0.
Post-exploitation browser data extractor
MD5
3283f8c54a3ddf0bc0d4111cc1f950c0
File name
–
This is an implant embedded within the resources of the C++ implementation. The author incorporated it into the resource section without applying any obfuscation or encryption. Subsequently, the stealer extracts the payload to a temporary folder with a randomly generated name composed of hexadecimal digits (0-9 and A-F) and executes it using the CreateProcess WinAPI. The payload itself is the unaltered publicly available project known as “ChromElevator”. To summarize, this tool consists of two components: an injector and the main payload. The injector initializes a direct syscall engine, spawns a suspended target browser process, and injects the decrypted code into it via Nt syscalls. The injected payload then decrypts the browser master key and exfiltrates data such as cookies, login information, web data, and so on.
Infrastructure
During the Arkanix campaign, two domains used in the attacks were identified. Although these domains were routed through Cloudflare, a real IP address was successfully discovered for one of them, namely, arkanix[.]pw. For the second one we only obtained a Cloudflare IP address.
Domain
IP
First seen
ASN
arkanix[.]pw
195.246.231[.]60
Oct 09, 2025
–
arkanix[.]ru
172.67.186[.]193
Oct 19, 2025
–
Both servers were also utilized to host the stealer panel, which allows attackers to monitor their victims. The contents of the panel are secured behind a sign-in page. Closer to the end of our research, the panel was seemingly taken down with no message or notice.
Stealer panel sign-in page
Stealer promotion
During the research of this campaign, we noticed that the forum posts advertising the stealer contained a link leading to a Discord server dubbed “Arkanix” by the authors. The server posed as a forum where authors posted various content and clients could ask various questions regarding this malicious software. While users mainly thank and ask about when the feature promised by the authors will be released and added into the stealer, the content made by the authors is broader. The adversary builds up the communication with potential buyers using the same marketing and communication methods real companies employ. To begin with, they warm up the audience by posting surveys about whether they should implement specific features, such as Discord injection and binding with a legitimate application (sic!).
Feature votes
Additionally, the author promised to release a crypter as a side project in four to six weeks, at the end of October. As of now, the stealer seems to have been taken down without any notice while the crypter was never released.
Arkanix Crypter
Furthermore, the Arkanix Stealer authors decided to implement a referral program to attract new customers. Referrers were promised an additional free hour to their premium license, while invited customers received seven days of free “premium” trial use. As stated in forum posts, the premium plan included the following features:
C++ native stealer
Exodus and Atomic cryptocurrency wallets injection
Increased payload generation, up to 10 payloads
Priority support
Referral program ad and corresponding panel interface
Speaking of technical details, based on the screenshot of the Visual Studio stealer project that was sent to the Discord server, we can conclude that the author is German-speaking.
This same screenshot also serves as a probable indicator of AI-assisted development as it shares the common patterns of such assistants, e.g. the presence of the utils.cpp file. What provides even more confidence is the overall code structure, the presence of comments and extensive debugging log output.
Example of LLM-specific patterns
Conclusions
Information stealers have always posed as a serious threat to users’ data. Arkanix is no exception as it targets a wide range of users, from those interested in cryptocurrencies and gaming to those using online banking. It collects a vast amount of information including highly sensitive personal data. While being quite functional, it contains probable traces of LLM-assisted development which suggests that such assistance might have drastically reduced development time and costs. Hence it follows that this campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection. The panel and the Discord chat were taken down around December 2025, leaving no message or traces of further development or a resurgence.
In addition, the developers behind the Arkanix Stealer decided to address the public, implementing a forum where they posted development insights, conducted surveys and even ran a referral program where you could get bonuses for “bringing a friend”. This behavior makes Arkanix more of a public software product than a shady stealer.
Cybersecurity researchers have disclosed details of a new Android trojan called Massiv that's designed to facilitate device takeover (DTO) attacks for financial theft.
The malware, according to ThreatFabric, masquerades as seemingly harmless IPTV apps to deceive victims, indicating that the activity is primarily singling out users looking for the online TV applications.
"This new threat, while
Login
