Arkanix Stealer Malware: A Brief but Notorious Existence

Post Views: 20

Arkanix Stealer Malware-As-A-Service Operation

A newly discovered malware-as-a-service (MaaS) operation, dubbed Arkanix Stealer, offered a broad range of information-stealing capabilities to its users before suddenly ceasing operations in December 2025.

Discovery and Operations

According to Kaspersky, the malware was first advertised on underground forums in October 2025, but its developer’s control panel and Discord channel disappeared shortly after.

Malware Capabilities

Arkanix Stealer was implemented in both C++ and Python and provided users with access to a control panel, allowing them to configure payloads and access statistics. The malware also included a browser post-exploitation tool called ChromElevator, which could harvest cryptocurrency wallet data.

The Python variant of the stealer was deployed via a Python script, often bundled with PyInstaller or Nuitka, and could dynamically modify its configuration by making GET requests to a remote server.

Data Collection

The malware was capable of collecting a wide range of system and user information, including CPU, GPU, RAM, OS, screen, keyboard, and time zone data. It could also target 22 browsers to harvest information such as history, autofill information, passwords, cookies, and OAuth2 data.

Additionally, the malware could collect Telegram messages and Discord credentials, as well as credentials from known VPN clients, including Mullvad VPN, NordVPN, ExpressVPN, and ProtonVPN.

Self-Spreading Capability

Arkanix Stealer also featured a self-spreading capability, allowing it to acquire a list of the victim’s Discord friends and channels via the Discord API and send a configured message to them.

The malware could also exfiltrate files from multiple directories associated with the current user, packing them in a ZIP archive and sending them to the command-and-control (C&C) server.

Infrastructure and Developer Activity

Kaspersky identified two servers used to host the stealer panel and monitor victims, both secured via a sign-in page. The malware’s developer maintained a Discord channel to interact with users and implemented a referral program to attract customers.

However, the campaign appears to have been short-lived, with the panel and Discord chat being taken down in December 2025, leaving no message or traces of further development or a resurgence.

Additional Malware Features

The native variant of the malware used VMProtect without code virtualization and implemented anti-analysis features.

It also collected RDP connection details, targeted gaming files and clients for credential theft, captured screenshots, and exfiltrated browser data.

The malware could also fetch additional modules from the C&C to expand its capabilities, including a Chrome grabber, a wallet patcher, an extra collector, and a Python script placed in the startup folder to be executed at system boot.

Conclusion

Overall, Arkanix Stealer demonstrates the evolving threat landscape of information-stealing malware, highlighting the need for robust security measures to protect against such threats.