OnyxC2 stealer remote-access and credential-theft activity
Malware Activity
Summary
Hide ▲
Show ▼
The OnyxC2 stealer has expanded into remote-access and persistence-enabled credential theft, giving buyers a way to harvest browser, extension, wallet, and business-app data from infected hosts. Its reach spans dozens of browsers and about 210 apps and extensions, increasing the chance that one compromise yields reusable logins and session material. The package also includes HVNC, a reverse SOCKS5 proxy, and a reverse shell, which makes post-compromise access harder to evict.
Related Happenings
OnyxC2 developers commercialize stealer as tiered MaaS with support
Threat Actor Meta
H score23
First: 11.06.2026 16:00
Last: 11.06.2026 16:00
Sources 1
How related:
The OnyxC2 stealer surfaced on a cybercrime network earlier this year and is available through Malware-as-a-Service (MaaS) for hire starting at $250 per month.
About this happening:
**OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...
OnyxC2 developers commercialize stealer as tiered MaaS with support
Threat Actor MetaHow related: The OnyxC2 stealer surfaced on a cybercrime network earlier this year and is available through Malware-as-a-Service (MaaS) for hire starting at $250 per month.
About this happening: **OnyxC2** has been sold as a **Malware-as-a-Service** stealer, giving cybercriminal buyers access to a rentable credential-theft platform instead of a one-off custom build. The o...
Gremlin stealer modular toolkit evolution
Malware Activity
H score21
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
H score21
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS infostealer with persistent credential harvesting
Malware Activity
H score21
First: 31.03.2026 17:51
Last: 31.03.2026 17:51
Sources 1
About this happening:
The **Venom Stealer** infostealer now ships as **malware-as-a-service (MaaS)**, expanding access to a persistent credential-theft tool and raising risk for **Windows** users. It s...
Venom Stealer MaaS infostealer with persistent credential harvesting
Malware ActivityAbout this happening: The **Venom Stealer** infostealer now ships as **malware-as-a-service (MaaS)**, expanding access to a persistent credential-theft tool and raising risk for **Windows** users. It s...
Atroposia malware-as-a-service remote access trojan activity
Malware Activity
H score16
First: 28.10.2025 15:15
Last: 28.10.2025 15:15
Sources 1
About this happening:
The **Atroposia** platform now offers a **remote access trojan** that gives buyers **persistent access**, **evasion**, **data theft**, and **local vulnerability scanning** on **Wi...
Atroposia malware-as-a-service remote access trojan activity
Malware ActivityAbout this happening: The **Atroposia** platform now offers a **remote access trojan** that gives buyers **persistent access**, **evasion**, **data theft**, and **local vulnerability scanning** on **Wi...
Timeline
-
11.06.2026 16:00 2 articles · 5h ago
OnyxC2 stealer surfaces on a cybercrime network
Initial DisclosureOnyxC2 surfaces on a cybercrime network earlier this year and is offered as Malware-as-a-Service (MaaS) for hire starting at $250 per month, with a $500 premium tier that includes HNVC and a private option described as source code plus installation. BlackFog analyzed two samples and maps the package to roughly 210 applications and extensions across browsers, password managers, wallets, FTP clients, email clients, VPN tools, remote-access tools, messaging apps, note-taking apps, and gaming targets, with ready-made lures including FinePrint, SystemSettings, fake Windows update packages, and Fling-Standalone.
Show sources
- OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month — www.securityweek.com — 11.06.2026 16:00
- OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month — www.securityweek.com — 11.06.2026 16:00
-
11.06.2026 16:00 1 articles · 5h ago
OnyxC2 malicious component stays unflagged on VirusTotal
Detection Ioc UpdateBlackFog reports that both delivery archives for OnyxC2 came back clean on their first VirusTotal upload, and the malicious component inside them was still unflagged when last checked on May 30, 2026. The build downloads are AES256-encrypted, and the payload inside a legitimate application with a valid Authenticate signature is paired with a DLL disguised as an NVIDIA graphics library.
Show sources
- OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month — www.securityweek.com — 11.06.2026 16:00