Arkanix Stealer was a short-lived infostealer offered as a malware-as-a-service that appeared in October 2025 and ceased operations around December 2025 after its control panel and Discord channel were taken down. It stole wide-ranging data — including system details, browser and messaging credentials, VPN client data, and cryptocurrency wallet information — and included tools like ChromElevator for post-exploitation and spreading via Discord. #ArkanixStealer #ChromElevator
Keypoints
- Arkanix operated as a one-shot MaaS campaign advertised in underground forums between October and December 2025.
- The stealer was implemented in both C++ and Python, with Python builds often bundled via PyInstaller or Nuitka and able to fetch dynamic configurations.
- It harvested extensive data from 22 browsers, Telegram and Discord, system and application details, and credentials from VPN clients like Mullvad, NordVPN, ExpressVPN, and ProtonVPN.
- The native C++ variant used VMProtect and anti-analysis measures, included ChromElevator for browser post-exploitation and wallet theft, and targeted gaming clients and RDP details.
- Operators provided a control panel, referral program, and modular updates from C&C servers, and the malware could exfiltrate user files, fetch additional modules, and self-spread via the Discord API.
Read More: https://www.securityweek.com/arkanix-stealer-malware-disappears-shortly-after-debut/