A new cybersecurity threat, the ‘Arkanix Stealer’ malware, briefly emerged as a malware-as-a-service (MaaS) before disappearing. According to Kaspersky, this malware was implemented in both C++ and Python and became active in October 2025. However, by December, its operations ceased, with the control panel and associated Discord channel vanishing.
Arkanix Stealer’s Capabilities
Despite its short lifespan, Arkanix Stealer offered extensive information-stealing features. It was capable of collecting detailed system and user information, browser data, application specifics, as well as data from Telegram and Discord. Additionally, it targeted VPN information and files from designated directories.
The MaaS model provided users access to a control panel to configure payloads and view statistics. A tool called ChromElevator was included in the package for browser post-exploitation, which could extract cryptocurrency wallet data using the C++ variant of the malware.
Technical Deployment and Features
The Python version of the stealer was distributed via scripts bundled with PyInstaller or Nuitka, allowing dynamic configuration through GET requests to a remote server. The malware was capable of gathering comprehensive system data, including hardware specifications and installed software details, and targeted 22 browsers to extract sensitive information such as passwords, cookies, and OAuth2 data.
Moreover, Arkanix Stealer had a self-propagation feature that utilized the Discord API to spread to the victim’s contacts by sending messages. It was also noted for collecting VPN credentials from popular clients and exfiltrating files from user directories, packaging them into ZIP archives for transmission to the command-and-control server.
Operational Shutdown and Observations
Kaspersky identified two secured servers that hosted the stealer panel for victim monitoring. The developer maintained a Discord channel for user interaction and promoted a referral program to expand its reach. However, this operation was characterized as a short-term campaign aimed at rapid financial gain, ending abruptly in December 2025 without any indication of further development.
The native variant of Arkanix Stealer used VMProtect for protection, incorporated anti-analysis techniques, and targeted various types of data, including gaming files. Kaspersky’s analysis suggests that while the campaign was brief, it was sophisticated and posed a significant threat during its active period.
The disappearance of Arkanix Stealer underscores the transient nature of some cyber threats, where malware-as-a-service models are employed for quick profits before being abandoned. The lack of continued activity suggests that this particular threat may not re-emerge, but vigilance remains essential as cyber threats continue to evolve.
