{"id":1409,"date":"2026-02-19T11:06:09","date_gmt":"2026-02-19T11:06:09","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/19\/arkanix-stealer-a-c-python-infostealer\/"},"modified":"2026-02-19T11:06:09","modified_gmt":"2026-02-19T11:06:09","slug":"arkanix-stealer-a-c-python-infostealer","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/19\/arkanix-stealer-a-c-python-infostealer\/","title":{"rendered":"Arkanix Stealer: a C++ & Python infostealer"},"content":{"rendered":"
\n

\"\"<\/p>\n

Introduction<\/h2>\n

In October 2025, we discovered a series of forum posts advertising a previously unknown stealer, dubbed \u201cArkanix Stealer\u201d by its authors. It operated under a MaaS (malware-as-a-service) model, providing users not only with the implant but also with access to a control panel featuring configurable payloads and statistics. The set of implants included a publicly available browser post-exploitation tool known as ChromElevator, which was delivered by a native C++ version of the stealer. This version featured a wide range of capabilities, from collecting system information to stealing cryptocurrency wallet data. Alongside that, we have also discovered Python implementation of the stealer capable of dynamically modifying its configuration. The Python version was often packed, thus giving the adversary multiple methods for distributing their malware. It is also worth noting that Arkanix was rather a one-shot malicious campaign: at the time of writing this article, the affiliate program appears to be already taken down.<\/p>\n

Kaspersky products detect this threat as Trojan-PSW.Win64.Coins.*<\/code>, HEUR:Trojan-PSW.Multi.Disco.gen<\/code>, Trojan.Python.Agent.*<\/code>.<\/p>\n

Technical details<\/h2>\n

Background<\/h3>\n

In October 2025, a series of posts was discovered on various dark web forums, advertising a stealer referred to by its author as \u201cArkanix Stealer\u201d. These posts detail the features of the stealer and include a link to a Discord server, which serves as the primary communication channel between the author and the users of the stealer.<\/p>\n

\"Example<\/a><\/p>\n

Example of an Arkanix Stealer advertisement<\/p>\n<\/div>\n

Upon further research utilizing public resources, we identified a set of implants associated with this stealer.<\/p>\n

Initial infection or spreading<\/h3>\n

The initial infection vector remains unknown. However, based on some of the file names (such as steam_account_checker_pro_v1.py<\/code>, discord_nitro_checker.py<\/code>, and TikTokAccountBotter.exe<\/code>) of the loader scripts we obtained, it can be concluded with high confidence that the initial infection vector involved phishing.<\/p>\n

Python loader<\/h3>\n\n\n\n\n
MD5<\/strong><\/td>\n208fa7e01f72a50334f3d7607f6b82bf<\/td>\n<\/tr>\n
File name<\/strong><\/td>\ndiscord_nitro_code_validator_right_aligned.py<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The Python loader is the script responsible for downloading and executing the Python-based version of the Arkanix infostealer. We have observed both plaintext Python scripts and those bundled using PyInstaller or Nuitka, all of which share a common execution vector and are slightly obfuscated. These scripts often serve as decoys, initially appearing to contain legitimate code. Some of them do have useful functionality, and others do nothing apart from loading the stealer. Additionally, we have encountered samples that employ no obfuscation at all, in which the infostealer is launched in a separate thread via Python\u2019s built-in threading<\/code> module.<\/p>\n

\"Variants<\/a><\/p>\n

Variants of Python loaders executing the next stage<\/p>\n<\/div>\n

Upon execution, the loader first installs the required packages \u2014 namely, requests<\/code>, pycryptodome<\/code>, and psutil<\/code> \u2014 via the pip<\/code> package manager, utilizing the subprocess<\/code> module. On Microsoft Windows systems, the loader also installs pywin32<\/code>. In some of the analyzed samples, this process is carried out twice. Since the loader does not perform any output validation of the module installation command, it proceeds to make a POST request to hxxps:\/\/arkanix[.]pw\/api\/session\/create<\/code> to register the current compromised machine on the panel with a predefined set of parameters even if the installation failed. After that, the stealer makes a GET request to hxxps:\/\/arkanix[.]pw\/stealer.py<\/code> and executes the downloaded payload.<\/p>\n

Python stealer version<\/h2>\n\n\n\n\n
MD5<\/strong><\/td>\naf8fd03c1ec81811acf16d4182f3b5e1<\/td>\n<\/tr>\n
File name<\/strong><\/td>\n\u2013<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

During our research, we obtained a sample of the Python implementation of the Arkanix stealer, which was downloaded from the endpoint hxxps:\/\/arkanix[.]pw\/stealer.py<\/code> by the previous stage.<\/p>\n

The stealer\u2019s capabilities \u2014 or features, as referred to by the author \u2014 in this version are configurable, with the default configuration predefined within the script file. To dynamically update the feature list, the stealer makes a GET request to hxxps:\/\/arkanix[.]pw\/api\/features\/{payload_id}<\/code>, indicating that these capabilities can be modified on the panel side. The feature list is identical to the one that was described in the GDATA report<\/a>.<\/p>\n

\"Configurable<\/a><\/p>\n

Configurable options<\/p>\n<\/div>\n

Prior to executing the information retrieval-related functions, the stealer makes a request to hxxps:\/\/arkanix[.]pw\/upload_dropper.py<\/code>, saves the response to %TEMP%upd_{random 8-byte name}.py<\/code>, and executes it. We do not have access to the contents of this script, which is referred to as the \u201cdropper\u201d by the attackers.<\/p>\n

During its main information retrieval routine, at the end of each processing stage, the collected information is serialized into JSON format and saved to a predefined path, such as %LOCALAPPDATAArkanix_lol%info_class%.json<\/code>.<\/p>\n

In the following, we will provide a more detailed description of the Python version\u2019s data collection features.<\/p>\n

System info collection<\/h3>\n

Arkanix Stealer is capable of collecting a set of info about the compromised system. This info includes:<\/p>\n