OnyxC2 developers commercialize stealer as tiered MaaS with support
Threat Actor Meta
Summary
Hide ▲
Show ▼
OnyxC2 has been sold as a Malware-as-a-Service stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The offer starts at $250 per month, rises to $500 per month for premium access, and includes a private source-code option for $6k. That packaging lowers the barrier to entry and expands the market for credential theft by combining support, tiering, and prebuilt lures.
Related Happenings
OnyxC2 stealer remote-access and credential-theft activity
Malware Activity
H score23
First: 11.06.2026 16:00
Last: 11.06.2026 16:00
Sources 1
How related:
The stealer is paired with a remote-access toolkit and provides HVNC over a web browser, LSASS dumping, RunPE in memory and on disk, a reverse SOCKS5 proxy, screenshot capture, a keylogger, a file manager, and a reverse shell over HTTP, a built-in TOR tunnel and AES-256-encrypted build downloads.
About this happening:
The **OnyxC2 stealer** has expanded into **remote-access and persistence-enabled credential theft**, giving buyers a way to harvest browser, extension, wallet, and business-app da...
OnyxC2 stealer remote-access and credential-theft activity
Malware ActivityHow related: The stealer is paired with a remote-access toolkit and provides HVNC over a web browser, LSASS dumping, RunPE in memory and on disk, a reverse SOCKS5 proxy, screenshot capture, a keylogger, a file manager, and a reverse shell over HTTP, a built-in TOR tunnel and AES-256-encrypted build downloads.
About this happening: The **OnyxC2 stealer** has expanded into **remote-access and persistence-enabled credential theft**, giving buyers a way to harvest browser, extension, wallet, and business-app da...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
H score40
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
VenomStealer ecosystem shift changes threat-actor operations
Threat Actor Meta
H score30
First: 31.03.2026 17:51
Last: 31.03.2026 17:51
Sources 1
About this happening:
**VenomStealer** is being run as a **licensed underground service** with an **affiliate program**, shifting it from a single malware kit into a repeatable operator ecosystem that...
VenomStealer ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **VenomStealer** is being run as a **licensed underground service** with an **affiliate program**, shifting it from a single malware kit into a repeatable operator ecosystem that...
VirusTotal Code Insight scanning for OpenClaw ClawHub skills
Security Tool/Service
H score10
First: 08.02.2026 09:32
Last: 08.02.2026 09:32
Sources 1
About this happening:
**OpenClaw** has added **VirusTotal Code Insight** scanning for **ClawHub** skill uploads, changing how new skills are vetted before publication. **Benign** bundles are approved a...
VirusTotal Code Insight scanning for OpenClaw ClawHub skills
Security Tool/ServiceAbout this happening: **OpenClaw** has added **VirusTotal Code Insight** scanning for **ClawHub** skill uploads, changing how new skills are vetted before publication. **Benign** bundles are approved a...
Russian-linked StealC V2 Blender marketplace delivery campaign
Campaign
H score38
First: 25.11.2025 00:00
Last: 25.11.2025 00:00
Sources 1
About this happening:
A **Russian-linked campaign** is distributing **StealC V2** through malicious **.blend files** on **3D model marketplaces** and putting **Blender users** at risk of credential the...
Russian-linked StealC V2 Blender marketplace delivery campaign
CampaignAbout this happening: A **Russian-linked campaign** is distributing **StealC V2** through malicious **.blend files** on **3D model marketplaces** and putting **Blender users** at risk of credential the...
Timeline
-
11.06.2026 16:00 1 articles · 5h ago
BlackFog verifies OnyxC2 stealth with clean VirusTotal uploads
Technical Analysis UpdateBlackFog says both delivery archives for OnyxC2 came back clean on their first VirusTotal upload, and the malicious component inside them was still unflagged when it last checked on May 30, 2026. The build downloads are AES256-encrypted, and the package pairs a legitimate application with a DLL disguised as an NVIDIA graphics library that appends the payload after legitimate content and loads it at runtime.
Show sources
- OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month — www.securityweek.com — 11.06.2026 16:00
-
11.06.2026 16:00 2 articles · 5h ago
OnyxC2 developers sell tiered MaaS access to buyers
Initial DisclosureOnyxC2 surfaced on a cybercrime network earlier this year and is being sold as Malware-as-a-Service starting at $250 per month, with a $500 premium option that includes HNVC and a private source code + installation guide package for $6k. The developers also offer refunds if the build gets detected and include ready-made lures such as FinePrint, SystemSettings, fake Windows update packages, and Fling-Standalone, while BlackFog says the stealer targets roughly 210 applications and extensions across nine categories.
Show sources
- OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month — www.securityweek.com — 11.06.2026 16:00
- OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month — www.securityweek.com — 11.06.2026 16:00