Threat Research

Deep Dive into Arkanix Stealer and Its Infrastructure – DeXpose

Securonix
Deep Dive into Arkanix Stealer and Its Infrastructure – DeXpose

Arkanix Stealer is an actively developed credential‑theft malware family distributed via Discord and forums that exists in both Python and a paid C++ “Premium” edition and uses VMProtect obfuscation, AMSI/ETW bypasses, anti‑VM/debugging checks, ChromElevator process hollowing to defeat App‑Bound Encryption, and HTTP POST exfiltration to arkanix[.]pw. The operators host a gated control panel and expose infrastructure mistakes that reveal origin IPs used for C2 and hosting. #ArkanixStealer #ChromElevator

Keypoints

  • Arkanix is marketed and distributed on Discord and forums in Python and a Premium C++ variant offering expanded theft capabilities (VPN, Steam, screenshots, Wi‑Fi) and paid support.
  • Payloads are obfuscated with VMProtect and employ AMSI and ETW memory patching along with extensive anti‑analysis and anti‑VM checks to hinder detection and sandboxing.
  • The stealer targets Chromium‑based browsers (using ChromElevator to bypass App‑Bound Encryption), numerous browser extensions (cryptocurrency wallets, password managers, 2FA), gaming clients, Discord variants, RDP files, and Wi‑Fi profiles to harvest credentials and session tokens.
  • Collected data and artifacts (screenshots, system metadata, credentials, RDP details) are compressed into an archive and exfiltrated via an authenticated HTTP POST to https://arkanix[.]pw/api/upload/direct.
  • Infrastructure analysis shows the public domain arkanix[.]pw is fronted by Cloudflare while origin servers (notably 195.246.231[.]60) hosted on AS44925 run the control panel on port 5000, exposing follow‑up C2 hunting opportunities.
  • Arkanix uses ChromElevator to reflectively hollow suspended browser processes to decrypt ABE‑protected browser data and includes fallback COM/Elevation Service attempts which were ineffective during testing.
  • Extensive logging and debug artifacts are dropped to %temp% (e.g., cl_*.exe, stealer_debug.txt, arkanix_data.zip) that assist in both operation and forensic detection.

MITRE Techniques

  • [T1562.001] Impair Defenses: Disable or Modify Tools – AMSI bypass by memory‑patching AmsiScanBuffer to immediately return 0x80070057 (‘The malware first load amsi.dll and resolve the address of AmsiScanBuffer function… It then writes two values…the final byte sequence becomes: B8 57 00 07 80 C3’), forcing the function to return an error and avoid scanning.
  • [T1562.002] Impair Defenses: Disable Windows Event Logging – ETW bypass by overwriting the first byte of EtwEventWrite with a RET (0xC3) to prevent event logging (‘it change the protection of the function to PAGE_EXECUTE_READWRITE and place 0xC3 (RET) at the very first byte of the function’).
  • [T1055.012] Process Injection: Process Hollowing – ChromElevator reflectively hollows a suspended browser process and runs a fileless payload inside the legitimate browser process to decrypt App‑Bound Encryption protected data (‘ChromElevator…by reflectively hollowing a suspended browser process and running a fileless payload inside’).
  • [T1027] Obfuscated Files or Information – Use of VMProtect to obfuscate payloads and hinder analysis (‘Arkanix Stealer’s payloads are obfuscated using VMProtect’).
  • [T1555] Credentials from Password Stores – Theft of browser passwords, password managers, and 2FA extension data by extracting and decrypting stored credentials and extension data (‘The stealer targets various browser‑based cryptocurrency wallets, password managers, and two‑factor authentication extensions’).
  • [T1539] Steal Web Session Cookie (Steal Web Session Tokens) – Extraction and decryption of Discord tokens from LevelDB files and querying the Discord API to retrieve user information (‘It scans .ldb and .log (LevelDB database files) for the standard Discord token and 2FA-enabled token, decrypt the token and queries the Discord API endpoint /api/v9/users/@me’).
  • [T1016] System Network Configuration Discovery – Enumeration of Wi‑Fi interfaces and saved profiles and extraction of SSIDs and security parameters (‘use Windows WLAN APIs to enumerate all wireless interfaces, list every saved WiFi profile, and retrieve each profile’s XML configuration’).
  • [T1082] System Information Discovery – Collection of detailed host metadata including CPU, GPU, RAM, OS version, timezone, HWID, and AV status (‘The malware gathers detailed system metadata, including CPU, GPU, RAM, operating system version, timezone, hardware identifiers, etc.’).
  • [T1113] Screen Capture – Full‑screen screenshots captured using capCreateCaptureWindowA API (‘Arkanix uses capCreateCaptureWindowA API to capture a screenshot and save it in screenshots folder.’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Exfiltration of collected archives via HTTP POST to the C2 endpoint and custom headers for authentication (‘it exfiltrates the file via an HTTP POST request to: https://arkanix[.]pw/api/upload/direct’ with custom headers including X-Signature computed HMAC‑SHA256).
  • [T1567.002] Exfiltration Over Web Service: Exfiltration over HTTP(S) – Bundling C:ArkanixData into arkanix_data.zip and uploading to the web API endpoint as an authenticated HTTP upload (‘the stealer bundles all collected information by compressing the entire C:ArkanixData folder into %temp%arkanix_data.zip… exfiltrates the file via an HTTP POST request to: https://arkanix[.]pw/api/upload/direct’).

Indicators of Compromise

  • [File Hash ] Malware and utility hashes – Arkanix Stealer: 6960d27fea1f5b28565cd240977b531cc8a195188fc81fa24c924da4f59a1389, ChromElevator: 99b8d3e04f6b16f3b79391360602ca28651c78a0db2f3868fec11eca71727a3d
  • [Domain ] C2 and panel – arkanix[.]pw (panel/login and API upload at https://arkanix[.]pw/api/upload/direct)
  • [IP Address ] Origin and secondary infrastructure – Origin/server IP: 195.246.231[.]60 (hosts control panel on port 5000), Secondary IP: 93.95.226[.]152
  • [Dropped File Paths ] Temp artifacts dropped by the stealer – %temp%cl_frAQBc8W.exe, %temp%arkanix_data.zip (also stealer_debug.txt, stealer_log.txt, upload_debug.txt, signature_debug.txt, stealer_final.txt)
  • [URLs/Endpoints ] Exfiltration endpoint – https://arkanix[.]pw/api/upload/direct (used for HTTP POST uploads with custom headers and HMAC‑SHA256 signature)

Read more: https://www.dexpose.io/deep-dive-into-arkanix-stealer-and-its-infrastructure/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint