Cybersecurity researchers have disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer, allowing them to gather crucial insights on one of the threat actors using the malware in their operations.
“By exploiting it, we were able to collect system fingerprints, monitor active sessions, and – in a twist that will surprise no one – steal cookies from the very infrastructure designed to steal them,” CyberArk researcher Ari Novick said in a report published last week.
StealC is an information stealer that first emerged in January 2023 under a malware-as-a-service (MaaS) model, allowing potential customers to leverage YouTube as a primary mechanism – a phenomenon called the YouTube Ghost Network – to distribute the malicious program by disguising it as cracks for popular software.
Over the past year, the stealer has also been observed being propagated via rogue Blender Foundation files and a social engineering tactic known as FileFix. StealC, in the meantime, received updates of its own, offering Telegram bot integration for sending notifications, enhanced payload delivery, and a redesigned panel. The updated version was codenamed StealC V2.
Weeks later, the source code for the malware’s administration panel was leaked, providing an opportunity for the research community to identify characteristics of the threat actor’s computers, such as general location indicators and computer hardware details, as well as retrieve active session cookies from their own machines.
The exact details of the XSS flaw in the panel have not been disclosed to prevent the developers from plugging the hole or enabling any other copycats from using the leaked panel to try to start their own stealer MaaS offerings.
In general, XSS flaws are a form of client-side injections that allows an attacker to get a susceptible website to execute malicious JavaScript code in the web browser on the victim’s computer when the site is loaded. They arise as a result of not validating and correctly encoding user input, allowing a threat actor to steal cookies, impersonate them, and access sensitive information.
“Given the core business of the StealC group involves cookie theft, you might expect the StealC developers to be cookie experts and to implement basic cookie security features, such as httpOnly, to prevent researchers from stealing cookies via XSS,” Novick said. “The irony is that an operation built around large-scale cookie theft failed to protect its own session cookies from a textbook attack.”
CyberArk also shared details of a StealC customer named YouTubeTA (short for “YouTube Threat Actor”), who has extensively used Google’s video sharing platform to distribute the stealer by advertising cracked versions of Adobe Photoshop and Adobe After Effects, amassing over 5,000 logs that contained 390,000 stolen passwords and more than 30 million stolen cookies. Most of the cookies are assessed to be tracking cookies and other non-sensitive cookies.
It’s suspected that these efforts have enabled the threat actor to seize control of legitimate YouTube accounts and use them to promote cracked software, creating a self-perpetuating propagation mechanism. There is also evidence highlighting the use of ClickFix-like fake CAPTCHA lures to distribute StealC, suggesting they aren’t confined to infections through YouTube.
Further analysis has determined that the panel enables operators to create multiple users and differentiate between admin users and regular users. In the case of YouTubeTA, the panel has been found to feature only one admin user, who is said to be using an Apple M3 processor-based machine with English and Russian language settings.
In what can be described as an operational security blunder on the threat actor’s part, their location was exposed around mid-July 2025 when the threat actor forgot to connect to the StealC panel through a virtual private network (VPN). This revealed their real IP address, which was associated with a Ukrainian provider called TRK Cable TV. The findings indicate that YouTubeTA is a lone-wolf actor operating from an Eastern European country where Russian is commonly spoken.
The research also underscores the impact of the MaaS ecosystem, which empowers threat actors to mount at scale within a short span of time, while inadvertently also exposing them to security risks legitimate businesses deal with.
“The StealC developers exhibited weaknesses in both their cookie security and panel code quality, allowing us to gather a great deal of data about their customers,” CyberArk said. “If this holds for other threat actors selling malware, researchers and law enforcement alike can leverage similar flaws to gain insights into, and perhaps even reveal the identities of, many malware operators.”
