A cross-site scripting (XSS) flaw in the web-based control panel used by operators of the StealC info-stealing malware allowed researchers to observe active sessions and gather intelligence on the attackers’ hardware.

StealC emerged in early 2023 with aggressive promotion on dark web cybercrime channels. It grew in popularity due to its evasion and extensive data theft capabilities.

In the following years, StealC’s developer added multiple enhancements. With the release of version 2.0 last April, the malware author introduced Telegram bot support for real-time alerts and a new builder that could generate StealC builds based on templates and custom data theft rules.

Around that time, the source code for the malware’s administration panel was leaked, giving researchers an opportunity to analyze it.

CyberArk researchers also discovered an XSS flaw that allowed them to collect browser and hardware fingerprints of StealC operators, observe active sessions, steal session cookies from the panel, and hijack panel sessions remotely.

“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details,” the researchers say.

“Additionally, we were able to retrieve active session cookies, which allowed us to gain control of sessions from our own machines.”

CyberArk did not disclose specific details about the XSS vulnerability to prevent StealC operators from quickly pinpointing and fixing it.

The report highlights one case of a StealC customer, referred to as ‘YouTubeTA’, who hijacked old, legitimate YouTube channels likely using compromised credentials, and planted infecting links.

The cybercriminal ran malware campaigns throughout 2025, collecting over 5,000 victim logs, stealing approximately 390,000 passwords and 30 million cookies (most of them non-sensitive).

Screenshots from the threat actor’s panel indicate that most infections occurred when victims searched for cracked versions of Adobe Photoshop and Adobe After Effects.

By leveraging the XSS flaw, the researchers could determine that the attacker used an Apple M3-based system with English and Russian language settings, used the Eastern European time zone, and was accessing the internet via Ukraine.

Their location was exposed when the threat actor forgot to connect the StealC panel through VPN. This revealed their real IP address, which was linked to Ukrainian ISP TRK Cable TV.

CyberArk notes that malware-as-a-service (MaaS) platforms enable rapid scaling but also pose a significant risk of exposure to threat actors.

BleepingComputer has contacted CyberArk to ask why they chose to disclose the StealC XSS flaw now. Researcher Ari Novick said that they hope to cause disruption to the operation, since there has been “a spike in recent months in the number of StealC operators, possibly in response to the drama around Lumma a couple of months ago.”

“By posting the existence of the XSS we hope to cause at least some disruption in the use of the StealC malware, as operators re-evaluate using it. Since there are now relatively many operators, it seemed like a prime opportunity to potentially cause a fairly significant disruption in the MaaS market.”