Cyber: Arkanix Stealer Pops Up As Short-lived AI Info-stealer Experiment

An information-stealing malware operation named Arkanix Stealer, promoted on multiple dark web forums towards the end of 2025, was likely developed as an AI-assisted experiment.

The project included a control panel and a Discord server for communication with users, but the author took them down without notification, just two months after the operation began.

Arkanix offered many of the standard data-stealing features that cybercriminals are used to, along with a modular architecture and anti-analysis features.

Kaspersky researchers analyzed the Arkanix stealer and found clues indicating LLM-assisted development, which "might have drastically reduced development time and costs."

The researchers believe that Arkanix was a short-lived project for quick financial gains, which makes detection and tracking much more difficult.

Arkanix started being promoted on hacker forums in October 2025, offering two tiers to potential customers: a basic level with a Python-based implementation, and a “premium” one with a native C++ payload using VMProtect protection, integrating AV evasion and wallet injection features.

The developer set up a Discord server that acted as a forum for the community around the project to receive updates, provide feedback for proposed features, and receive help.

Also, a referral program was established to promote the project more aggressively, giving referrers an extra free hour of premium access, while potential new customers received one week of free access to the “premium” version.

Additionally, the malware can steal data from Telegram, steal Discord credentials, spread via the Discord API, and send messages to the victim’s friends/channels.

Arkanix also targets credentials for Mullvad, NordVPN, ExpressVPN, and ProtonVPN, and can archive files from the local filesystem to exfiltrate them asynchronously.

Source: BleepingComputer