Threat Advisories:
ValleyRAT’s Stealthy Job-Lure Campaign Arkanix Stealer’s Fast-Evolving Design Driving Widespread Compromise Water Saci Campaign: Multi-Stage Malware Spreading via WhatsApp Web The Admin Shortcut: King Addons Flaw Under Fire Serpents in Disguise: MuddyWater’s Hidden ToolsetExposed Operation Hanoi Thief: When Fake CVs Become Cyber Weapons CVE-2025-61757: Oracle Identity Manager Pre-Auth RCE Under Active Attack ShadowPad Gatecrashes the Enterprise by Hijacking WSUS Vulnerability Shai-Hulud 2.0 Fuels Global NPM Supply-Chain Compromise StealC V2 Spreads via Malicious Blender Files The Windows Update Deception: How ClickFix Lures Unleash Stealthy Stealers Cl0p Ransomware Surge 2025: Operational Patterns and Key Mitigations ShadowRay Strikes Back: Inside the Multi-Purpose Ray Cluster Takeover November 2025 Linux Patch Roundup CVE-2025-11001 Turns a Simple Unzip into a System-Level Ambush CVE-2025-55241: Critical Cross-Tenant Privilege Escalation in Microsoft Entra ID TamperedChef: A High-Severity Multi-Stage Infostealer Operation Eternidade Stealer: Brazil’s New WhatsApp-Driven Cybercrime Engine Gh0st RAT Multi-Campaign Delivery Surge Targets Chinese Speakers FortiWeb Flaw Exploited in the Wild: Patch Immediately
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Arkanix Stealer’s Fast-Evolving Design Driving Widespread Compromise

Amber | Attack Report
Download PDF

Arkanix Stealer’s Fast-Evolving Design Driving Widespread Compromise

Arkanix Stealer represents a rapidly advancing commodity infostealer malware circulating through Discord channels and underground forums, disguised as legitimate software to drive user execution. This Arkanix Stealer malware targets a wide range of Chromium-based browsers and cryptocurrency wallet extensions, while also harvesting wallet data from standalone clients such as Electrum and Ethereum applications. The Arkanix infostealer campaign evolved quickly from an initial Python-based variant to a more advanced C++ Premium edition within approximately one month. The Arkanix Stealer C++ version deploys the Chrome Elevator post-exploitation tool that injects code directly into Chrome processes to bypass App-Bound Encryption introduced in Chrome 127, enabling direct access to cookies and stored credentials. The Arkanix malware web panel manages customer accounts, coordinates configuration updates, and stores stolen data from browsers including Chrome, Edge, Opera, Vivaldi, Tor, and Yandex. Arkanix Stealer represents a fast-evolving commodity infostealer threat with global targeting capabilities focused on cryptocurrency theft and credential harvesting.

Attack Details

Rapid Evolution from Python to Advanced C++ Infostealer

Arkanix Stealer functions as a commodity infostealer malware designed for rapid monetization through Discord channels and online underground forums. The malware is packaged as legitimate software tools to prompt users into executing malicious payloads. Arkanix Stealer operators released an initial Python-based variant, then replaced it within approximately one month with a more advanced C++ build that significantly expanded capabilities. This rapid Arkanix Stealer evolution demonstrates the threat actors’ commitment to improving the infostealer’s effectiveness and evasion capabilities in response to security defenses.

Python Variant Establishes Baseline Infostealer Workflow

The Arkanix Stealer Python variant relies on Nuitka to produce standalone executable files. Once launched, the Arkanix malware unpacks its embedded Python environment, executes the malicious payload directly from memory, and pulls further malicious code from the command-and-control server infrastructure. This memory-resident execution approach establishes the baseline workflow used across later Arkanix Stealer versions, prioritizing stealth and evasion over traditional file-based detection methods. The Python-based Arkanix infostealer demonstrated the core credential theft capabilities that would be expanded in subsequent versions.

Premium C++ Edition Introduces Chrome Elevator Bypass Tool

The Arkanix Stealer C++ edition appears as the Premium option on the malware-as-a-service web panel. This advanced Arkanix malware version expands the feature set with specialized modules for stealing VPN accounts and Steam gaming credentials. The C++ Arkanix Stealer also deploys a sophisticated post-exploitation tool called Chrome Elevator, which injects malicious code directly into the Chrome browser process to bypass App-Bound Encryption added in Chrome 127. This Chrome Elevator technique enables direct access to cookies and stored credentials by operating inside Chrome’s authorized environment, circumventing one of Google’s most significant browser security enhancements.

Comprehensive Targeting of Browsers and Cryptocurrency Wallets

The Arkanix Stealer web panel manages customer accounts, coordinates configuration updates, and stores stolen credential data. Arkanix malware supports data extraction from a wide range of Chromium-based browsers including Chrome, Edge, Opera, Vivaldi, Tor, and Yandex browsers. The infostealer further targets browser extensions tied to cryptocurrency wallets such as MetaMask, Binance, and Exodus. Arkanix Stealer also pulls wallet information from standalone cryptocurrency applications including Electrum and Ethereum clients, demonstrating comprehensive targeting of cryptocurrency assets across multiple platforms and application types. This broad targeting capability makes Arkanix Stealer particularly dangerous for cryptocurrency users and financial services organizations.

Recommendations

Monitor Memory-Resident Payloads: Deploy advanced security tooling that detects runtime unpacking, interpreter spawning, and anomalous Chrome browser activity associated with Arkanix Stealer infections. Prioritize behavioral and memory-based analytics over traditional file-dependent signatures, as Arkanix malware executes primarily from memory to evade detection. Implement endpoint detection and response solutions capable of identifying Chrome Elevator injection techniques and unusual process behavior.

Bind Access to Strong Authentication: Protect VPN profiles, Steam gaming accounts, and other auxiliary credentials targeted by Arkanix Stealer with multi-factor authentication and device-bound security tokens. Ensure that compromised credential data yields minimal operational value for attackers even when Arkanix malware successfully exfiltrates stored passwords. Implement hardware-based authentication where possible to prevent credential replay attacks.

Reinforce Recovery and Containment Architecture: Strengthen backup and disaster recovery processes to enable clean system restoration following Arkanix Stealer compromise. Segment internal networks to constrain lateral movement pathways during active compromise scenarios. Maintain comprehensive incident response playbooks that account for infostealer malware with advanced evasion capabilities like the Chrome Elevator bypass technique deployed by Arkanix malware.

Indicators of Compromise (IoCs)

Domain: arkanix[.]pw

URLs: hxxps[:]//arkanix[.]pw/stealer[.]py, hxxps[:]//arkanix[.]pw/delivery, hxxps[:]//arkanix[.]pw/api/upload/direct

SHA256 Hashes: 6ea644285d7d24e09689ef46a9e131483b6763bc14f336060afaeffe37e4beb5, 6960d27fea1f5b28565cd240977b531cc8a195188fc81fa24c924da4f59a1389

MITRE ATT&CK TTPs

Arkanix Stealer malware demonstrates tactics spanning Initial Access (TA0001), Execution (TA0002) through User Execution of Malicious File (T1204.002) and Command and Scripting Interpreter including Python (T1059.006) and PowerShell (T1059.001), Persistence (TA0003), Defense Evasion (TA0005) using Obfuscated Files and Software Packing (T1027, T1027.002), Masquerading (T1036, T1036.005), and Process Injection (T1055), Credential Access (TA0006) from Password Stores (T1555) and Web Browsers (T1555.003), Unsecured Credentials in Files (T1552, T1552.001), Discovery (TA0007) including System Information Discovery (T1082), System Owner/User Discovery (T1033), System Network Configuration Discovery (T1016), Process Discovery (T1057), File and Directory Discovery (T1083), Software Discovery (T1518), and Security Software Discovery (T1518.001), Collection (TA0009) through Data from Local System (T1005), Screen Capture (T1113), Automated Collection (T1119), Data Staged (T1074), Input Capture and Keylogging (T1056, T1056.001), Exfiltration (TA0010) Over C2 Channel (T1041), and Command and Control (TA0011) via Application Layer Protocol and Web Protocols (T1071, T1071.001), Encrypted Channel using Symmetric Cryptography (T1573, T1573.001), Web Service (T1102), and Bidirectional Communication (T1102.002).

References

https://www.gdatasoftware.com/blog/2025/12/38306-arkanix-stealer

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox