Arkanix Stealer, an information‑stealing operation promoted on dark web forums in late 2025, offered modular Python and premium C++ builds with VMProtect and extensive data‑theft capabilities across browsers, wallets, messengers, and gaming platforms. Kaspersky researchers found indicators of LLM‑assisted development, a short‑lived Discord community and referral program, and published IoCs while the operator abruptly took down the project two months after launch. #ArkanixStealer #Kaspersky
Keypoints
- Arkanix was promoted in October 2025 with a Python-based basic tier and a native C++ premium tier protected by VMProtect.
- The stealer can exfiltrate browser history, autofill data, cookies, passwords, OAuth2 tokens, and crypto wallet data from 22 browsers.
- Additional modules and the premium variant add RDP theft, anti-sandbox/anti-debug checks, HVNC, and targets for gaming platforms like Epic Games and Battle.net.
- Kaspersky found coding traces consistent with LLM-assisted development, suggesting faster, lower-cost malware creation.
- The developer ran a Discord server and referral program but abruptly removed the control panel and server two months in, hindering detection and tracking.