The creators of StealC, a widely-used information stealer and malware downloader, have released its second major version, bringing multiple stealth and data theft enhancements.
The latest version of StealC was actually made available to cybercriminals in March 2025, but Zscaler researchers who analyzed it just published a detailed write-up.
In the weeks that followed its release, several minor bug fixes and point releases added new features, with the latest being version 2.2.4.
StealC is a lightweight info-stealer malware that gained traction on the dark web in early 2023, selling access for $200/month.
In 2024, it was spotted in large-scale malvertising campaigns and attacks locking systems into inescapable kiosk modes.
In late 2024, it was confirmed that StealC development remained very active, with its developers adding a bypassing mechanism for Chrome’s ‘App-Bound Encryption’ cookie-theft defenses, allowing the “regeneration” of expired cookies for hijacking Google accounts.
New in latest version
Version 2 (and later) was announced in March 2025. According to Zscaler’s analysis, it brings the following major improvements:
- Payload delivery enhancements with support for EXE files, MSI packages, and PowerShell scripts, and configurable payload triggering.
- RC4 encryption was added for code strings and command-and-control (C2) communications, with random parameters in C2 responses for better evasion.
- Architecture and execution improvements with new payloads compiled for 64-bit systems, resolving API functions dynamically at runtime, and introducing a self-deletion routine.
- New embedded builder that allows operators to generate new StealC builds using templates and custom data theft rules.
- Added Telegram bot support for real-time alerts to operators.
- Added capability to screenshot the victim’s desktop with multi-monitor support.
Source: Zscaler
However, apart from the feature additions, there have also been some notable removals, like the anti-VM checks and DLL downloading/execution.
These might indicate an effort to make the malware leaner, but they may also be collateral damage from major code rework and could be re-introduced in better form in future versions.
Source: Zscaler
In the most recent attacks seen by Zscaler, StealC was deployed by Amadey, a separate malware loader, though different operators could differentiate the delivery methods or attack chains.
To protect your data from info-stealer malware, avoid storing sensitive information on your browser for convenience, use multi-factor authentication to protect your accounts, and never download pirated or other software from obscure sources.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.