In an unusual twist, security researchers managed to turn the tables on cybercriminals behind StealC, a widely used information-stealing malware, by exploiting a flaw in the criminals’ own control panel.
Researchers at CyberArk discovered a cross-site scripting (XSS) vulnerability in StealC’s web-based control panel, a tool used by malware operators to manage campaigns and view stolen data. The flaw allowed researchers to spy on active malware operators, steal session cookies, and remotely hijack active panel sessions.
Popular Malware With A Critical Weakness
StealC is an infostealer malware that first appeared in early 2023 and is sold under a Malware-as-a-Service (MaaS) model on underground cybercrime forums. Customers pay to use it to steal passwords, browser cookies, and other sensitive information from infected computers.
In 2025, the malware’s developers released StealC version 2.0, which added features such as Telegram alerts and a flexible malware builder. Around the same time, the source code for StealC’s web control panel was leaked online, allowing security researchers to conduct a detailed review of how the operation worked behind the scenes.
While analysing the leaked code, CyberArk researchers found a simple but powerful XSS vulnerability in the StealC control panel. Despite running a business built around large-scale cookie theft, the StealC panel failed to protect its own session cookies using basic security measures such as HttpOnly flags, allowing its own session cookies to be stolen.
CyberArk chose not to disclose the technical details of the flaw, stating that this would prevent StealC operators from quickly identifying and fixing the issue.
Tracking A Malware Operator
The research zeroed in on a StealC customer, dubbed “YouTubeTA” by researchers, who ran extensive malware campaigns throughout 2025.
According to panel data, this single operator collected more than 5,000 victim logs, stealing approximately 390,000 passwords and over 30 million browser cookies. While many of the cookies were non-sensitive, the scale of the operation was significant.
Screenshots captured by the malware revealed how victims were compromised. In many cases, users were searching YouTube for cracked versions of Adobe Photoshop and Adobe After Effects. The malicious malware links were often posted on older, legitimate-looking YouTube channels with thousands of subscribers, suggesting the attacker had hijacked previously compromised accounts to spread the malware.
Unmasking The Attacker
By abusing the XSS flaw, researchers were able to collect detailed system fingerprints of the attacker behind YouTubeTA. The data indicated the operator was likely a single individual using an Apple device powered by an M3 processor, set to English and Russian languages, and operating in the Eastern European time zone.
While the attacker usually accessed the StealC panel through a VPN, they made a critical mistake on several occasions. In mid-July 2025, when they connected without VPN protection, their real IP address was exposed and traced to a Ukrainian internet service provider, TRK Cable TV.
A Warning For Cybercriminals
CyberArk says the findings highlight a major weakness in Malware-as-a-Service (MaaS) platforms. While these services allow cybercriminals to scale their operations quickly, they also introduce shared risks when infrastructure is poorly designed or rushed to market. This exposes not just malware developers, but also their customers.
“By posting the existence of the XSS we hope to cause at least some disruption in the use of the StealC malware, as operators re-evaluate using it. Since there are now relatively many operators, it seemed like a prime opportunity to potentially cause a fairly significant disruption in the MaaS market,” the researchers wrote in a blog post published on Thursday.
In the end, the StealC case serves as a reminder that even cybercriminals are vulnerable to basic security failures they exploit in others — and that sloppy code can turn attackers into targets themselves.
