A new infostealer named ‘Arkanix Stealer’ operated as a malware-as-a-service (MaaS) enterprise in a one-shot campaign, Kaspersky says.
Implemented in both C++ and Python, the malware emerged in October 2025, when its developer started advertising it in underground forum posts, but likely ceased operations in December, when its control panel and Discord channel disappeared.
While short-lived, Arkanix Stealer did provide miscreants with broad information-stealing capabilities, collecting system and user information, application details, browser data, Telegram and Discord data, VPN information, and stealing files from specific directories.
As part of the MaaS, users were provided with access to a control panel allowing them to configure payloads and access statistics.
Users were provided with a browser post-exploitation tool named ChromElevator, delivered via a native C++ version of the malware that could also harvest cryptocurrency wallet data.
The Python variant of the stealer, Kaspersky says, was deployed via a Python script, often bundled with PyInstaller or Nuitka, and could dynamically modify its configuration by making GET requests to a remote server.
Arkanix Stealer could collect broad system information, including CPU, GPU, RAM, OS, screen, keyboard, and time zone data, along with details on the installed software, including antivirus and VPN applications.
It could also target 22 browsers to harvest information such as history, autofill information, passwords, cookies, and 0Auth2 data, as well as Telegram messages and Discord credentials.
The analyzed stealer sample also contained a self-spreading feature, acquiring a list of the victim’s Discord friends and channels via the Discord API, and sending a configured message to them.
Kaspersky also observed the malware collecting credentials from known VPN clients, such as Mullvad VPN, NordVPN, ExpressVPN, and ProtonVPN.
Using a pre-defined set of paths, the malware was seen exfiltrating files from multiple directories associated with the current user, packing them in a ZIP archive, and sending them to the command-and-control (C&C) server.
The malware could also fetch additional modules from the C&C to expand its capabilities. These modules include a Chrome grabber, a wallet patcher, an extra collector, and a Python script placed in the startup folder to be executed at system boot.
The native variant uses VMProtect, without code virtualization, implements anti-analysis features, collects RDP connection details, targets gaming files and clients for credential theft, captures screenshots, and exfiltrates browser data.
Kaspersky identified two servers used to host the stealer panel and monitor victims, both secured via a sign-in page. The malware’s developer also maintained a Discord channel to interact with users and implemented a referral program to attract customers.
“This campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection. The panel and the Discord chat were taken down around December 2025, leaving no message or traces of further development or a resurgence,” Kaspersky notes.
Related: ‘SolyxImmortal’ Information Stealer Emerges
Related: Infostealer Malware Delivered in EmEditor Supply Chain Attack
Related: New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM
Related: New Keenadu Android Malware Found on Thousands of Devices
