- CyberArk Exploited StealC Control Panel Via Font Leak and XSS Flaw
- Researchers exposed “YouTubeTA” attacker, who stole 390,000 passwords and 30 million cookies
- Findings May Disrupt StealC Operations by Drawing Greater Scrutiny and Attacks
Cybersecurity researchers managed to break into the web-based control panel of information thief StealC and obtain valuable information about how the malware operates and who the attackers and victims are.
StealC is an immensely popular information-stealing malware that first emerged a couple of years ago and has since become one of the staples of the cybercriminal community.
It can collect and exfiltrate sensitive data such as web browser credentials, cookies, system information, messaging applications and email data, as well as cryptocurrency wallet details, and offers different features such as modular targeting, stealth execution, and flexible command and control communications.
Doxxing victims
CyberArk security researchers found two ways to access the control panel; through a source code leak that occurred around April 2025 and through a cross-site scripting (XSS) vulnerability they discovered.
“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details,” the researchers said. “In addition, we were able to retrieve cookies from active sessions, allowing us to control the sessions from our own machines.”
The report details a threat actor, dubbed “YouTubeTA,” who used stolen credentials to log into legitimate YouTube channels and place links for the malware. The campaign provided YouTubeTA with more than 5,000 victim records, 390,000 passwords and 30 million cookies.
CyberArk discovered that the attacker used an Apple M3-based device, with English and Russian language settings. The time zone was set to Eastern Europe, and on at least one occasion they logged in from Ukraine. Typically, cybercriminals only log in through a VPN to cover their tracks, but this threat actor forgot to do so once, revealing his IP address, which is linked to the Ukrainian ISP TRK Cable TV.
By publishing this news, CyberArk hopes that StealC will also be targeted by other players, both benign and malicious, thus disrupting the entire operation.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
