{ "id": "f2ea1769-0351-442d-88d8-f07d922aa611", "created_at": "2026-04-06T00:14:46.66018Z", "updated_at": "2026-04-10T03:36:48.017222Z", "deleted_at": null, "sha1_hash": "5dbfe2946a6b225e8068589bc83d047bee2b4f9e", "title": "UNO reverse card: stealing cookies from cookie stealers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1879910, "plain_text": "UNO reverse card: stealing cookies from cookie stealers\r\nBy Ari Novick\r\nPublished: 2026-01-15 · Archived: 2026-04-05 20:04:11 UTC\r\nCriminal infrastructure often fails for the same reasons it succeeds: it is rushed, reused, and poorly secured. In the case of\r\nStealC, the thin line between attacker and victim turned out to be highly exploitable.\r\nStealC is an infostealer malware that has been circulating since early 2023, sold under a Malware-as-a-Service (MaaS)\r\nmodel and marketed to threat actors seeking to steal cookies, passwords, and other sensitive data from infected computers.\r\nLike many MaaS offerings, it comes with a polished web panel, campaign tracking, and just enough operational security to\r\nappear professional.\r\nIn the spring of 2025, the group developing the StealC malware had a rather eventful few months. The group released a\r\nnew major version of their malware, moving from StealC_v1 to StealC_v2. Almost immediately after the release, their web\r\npanel leaked. Following that, TRAC Labs published a blunt technical teardown questioning the quality and maturity of the\r\nmalware titled, Autopsy of a Failed Stealer: StealC v2.\r\nWhat didn’t make headlines at the time was arguably far more damaging. While analyzing the leaked panel code, we\r\nidentified a vulnerability that allowed us to observe and interact with StealC operators themselves. By exploiting it, we\r\nwere able to collect system fingerprints, monitor active sessions, and—in a twist that will surprise no one—steal cookies\r\nfrom the very infrastructure designed to steal them.\r\nIn this blog post, we’ll cover a specific threat actor and demonstrate how much can be learned by exploiting vulnerabilities\r\nin the threat actor’s infrastructure.\r\nhttps://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers\r\nPage 1 of 6\n\nThis research is based on analysis of publicly available information and leaked artifacts widely accessible within the\r\nsecurity community. It was conducted for defensive and educational purposes. CyberArk Labs shares this work to support\r\nresponsible security research and improve the community’s understanding of real-world threats.\r\nExploiting a simple XSS vulnerability in the StealC MaaS panel\r\nThe StealC web panel gave researchers a rare glimpse into the backend of the malware operations. It didn’t take much\r\neffort for us to find a simple XSS vulnerability in that panel. We won’t share specific details of the vulnerability itself to\r\navoid helping the StealC developers patch the issue or enabling any would-be StealC copycats from using the leaked panel\r\nto try to start their own MaaS.\r\nBy exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general\r\nlocation indicators and computer hardware details. Additionally, we were able to retrieve active session cookies, which\r\nallowed us to gain control of sessions from our own machines.\r\nGiven the core business of the StealC group involves cookie theft, you might expect the StealC developers to be cookie\r\nexperts and to implement basic cookie security features, such httpOnly, to prevent researchers from stealing cookies via\r\nXSS. The irony is that an operation built around large-scale cookie theft failed to protect its own session cookies\r\nfrom a textbook attack.\r\nIn the next couple of sections, we’ll focus on a single StealC operator we’ll refer to as YouTubeTA, an abbreviation for\r\nYouTube Threat Actor. We’ll start with their malware campaigns and then detail what the XSS exploit revealed about their\r\nidentity.\r\nStealC malware campaigns abusing YouTube accounts\r\nFor several months in 2025, samples of StealC were circulating with conspicuous build IDs, identifiers created by the\r\nStealC operators to help them distinguish between campaigns. The build ID names included YouTube, YouTube2, and\r\nYouTubeNew (see Figure 1). Since the observed build IDs primarily relate to YouTube, we will refer to this threat actor as\r\nYouTubeTA, an abbreviation for YouTube Threat Actor.\r\nYouTubeTA had over 5,000 logs stolen by StealC on their C2 server. The logs, based on the panel data, contained over\r\n390,000 stolen passwords and more than 30 million stolen cookies (although most of these were tracking cookies and other\r\nnon-sensitive cookies).\r\nhttps://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers\r\nPage 2 of 6\n\nFigure 1. StealC build page with example build called “YouTubeNew.”\r\nThe names of the different builds made us suspect that YouTubeTA was somehow spreading the malware through YouTube.\r\nConveniently for us, the StealC malware takes screenshots when it runs and sends the screenshot to its C2 server. By\r\nexploiting the XSS vulnerability we mentioned earlier, we were able to observe activity associated with the C2 server and\r\nwhat the victims were doing when StealC ran. In many cases, the victims were on YouTube looking for cracked versions of\r\nAdobe Photoshop and Adobe After Effects (see Figure 2).\r\nFigure 2. Cropped image from C2 Server showing the victim searching for cracked Adobe Products on YouTube.\r\nCuriously, most of the YouTube channels being abused to distribute StealC had several legitimate-looking videos posted a\r\nrelatively long time ago, making the channels appear more reputable. The channels often had thousands of subscribers.\r\nHowever, there were long periods of inactivity between the legitimate videos and those promoting cracked software.\r\nYouTubeTA was likely using StealC to take over old YouTube accounts, which they then used to promote new\r\nsamples of StealC.\r\nhttps://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers\r\nPage 3 of 6\n\nFigure 3. Markers page from YouTubeTA’s StealC web panel.\r\nThe StealC web panel has a feature known as “markers,” which allows users to highlight stolen credentials from specific\r\ndomains, based on various categories they define. This feature probably helps sift through stolen credentials to identify\r\ninteresting victims. We can see in Figure 3 that studio.youtube.com is given its own category. This subdomain of YouTube\r\nis specifically meant for content creators, providing tools to manage their YouTube channels. The fact that YouTubeTA was\r\nhighlighting credentials stolen specifically from YouTube content creators adds credence to the idea that they may be\r\nlooking to hijack old YouTube accounts to promote their malware. Notably, some of the screenshots we’ve seen show\r\nattempts at using clickfix technique (Figure 4), a social engineering technique that gained popularity in 2025, so the threat\r\nactor isn’t limited to infections through YouTube.\r\nFigure 4. Likely clickfix page used to install StealC.\r\nhttps://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers\r\nPage 4 of 6\n\nAttributing a StealC operator via panel fingerprinting\r\nSome readers may have noticed by now that we have been referring to YouTubeTA as though they’re a single person rather\r\nthan a group of threat actors. We’ve been able to gather a fair number of indicators suggesting that YouTubeTA is a single\r\nthreat actor operating the web panel, and we’ve even been able to get a rough idea of their likely region.\r\nThe data we gathered can be categorized into five main types which include panel users, hardware fingerprinting, supported\r\nlanguages, time zones, and IP addresses.\r\nPanel users: The most basic clue, YouTubeTA is a single person, comes from the StealC panel itself. The StealC panel\r\nfeatures a function that enables operators to create multiple users and distinguish between admin users and regular users\r\nwithin the panel. In the case of YouTubeTA, however, we only see a single user: Admin. Interestingly, we haven’t seen any\r\ncases where multiple users were created, suggesting that the feature may see limited use.\r\nHardware fingerprinting: Another piece of evidence indicating a single user was identified through hardware\r\ncharacteristics. The screen width and height were constant across all cases when our XSS payload was triggered. Similarly,\r\nwe utilized the JavaScript feature to determine which WebGL renderer is being used. For YouTubeTA, the renderer type\r\ntold us that they use an Apple Pro device with an M3 processor. Again, this was consistent across all triggers of the\r\npayload, suggesting that YouTubeTA is a single threat actor.\r\nSupported languages: In addition to helping us identify that the threat actor was a single person, our fingerprinting also\r\nallowed for some geolocating of YouTubeTA. Starting with supported languages, we know the threat actor’s machine\r\nsupports both English and Russian. This alone wasn’t especially informative. Most machines support English, and since\r\nmost MaaS are advertised on Russian speaking forums, it’s not a big surprise that YouTubeTA speaks Russian too.\r\n(Notably, the languages were a lot more informative with other StealC operators we managed to analyze. We’ve found\r\nsupported languages ranging from Italian to Hindi.)\r\nhttps://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers\r\nPage 5 of 6\n\nFigure 5. European Time Zones, Eastern European Summer Time in Beige (Source:\r\nhttps://en.wikipedia.org/wiki/Eastern_European_Summer_Time#/media/File:Time_zones_of_the_Greater_Europe.svg).\r\nTime zones: Yet another geolocation feature we can utilize is the time zone. The time zone on YouTubeTA’s machine was\r\nGMT+0300 (Eastern European Summer Time). This helps narrow down the country where YouTubeTA is likely from.\r\nEastern European Summer Time helps exclude many countries where Russian is commonly spoken, such as Russia itself,\r\nas well as Central Asian countries like Kazakhstan. Naturally, the time zone also helps exclude countries where Russian\r\nisn’t widely spoken.\r\nIP address: Of course, the most obvious feature to use for geolocating YouTubeTA was the IP address used to access the\r\nweb panel. As one might expect, being such an obvious target for researchers, most StealC operators use VPNs when\r\naccessing their web panels. YouTubeTA also used a VPN most of the time, but fortunately, it seems they fumbled a couple\r\nof times.\r\nIn mid-July 2025, our XSS payload triggered on their panel, sending us the same fingerprinting information as in previous\r\nrounds. However, this time, the IP address wasn’t detected as a VPN by the tool we were using. VPN detection tools aren’t\r\n100 percent accurate, so we tried several to confirm that the address is valid. The address was associated with a Ukrainian\r\nISP called TRK Cable TV, which is consistent with our previous findings that YouTubeTA likely comes from an Eastern\r\nEuropean country where Russian is commonly spoken.\r\nOperational lessons: MaaS fragility, OPSEC failures, and identity abuse\r\nAs we’ve seen, YouTubeTA, despite being a single operator, was dangerously successful. They’ve stolen hundreds of\r\nthousands of credentials from thousands of victims around the world in just a few short months. This is a clear\r\ndemonstration of why many threat actors employ the MaaS model. By delegating much of the work to other groups, they\r\ncan specialize and have a more significant impact, much like in traditional industries. The success of YouTubeTA highlights\r\nthe importance of identity security, as it’s terribly simple to do a tremendous amount of damage.\r\nAt the same time, there is a cost to cybercriminals using MaaS models. By relying on others to develop their infrastructure,\r\nthreat actors become vulnerable to the same kind of supply chain risks regular industries struggle with. The StealC\r\ndevelopers exhibited weaknesses in both their cookie security and panel code quality, allowing us to gather a great deal of\r\ndata about their customers. If this holds for other threat actors selling malware, researchers and law enforcement alike can\r\nleverage similar flaws to gain insights into, and perhaps even reveal the identities of, many malware operators.\r\nFurther information on cookie security:\r\nEndpoint Credential Theft: How to Block and Tackle at Scale\r\nCrumbled Security: Unmasking the Cookie-Stealing Malware Threat\r\nHow to Prevent Cookie Hijacking, A CyberArk Labs Webinar\r\nOn-Demand: No More Cookies for You: Attacking and Defending Credentials in Chromium-Based Browsers\r\nAri Novick is a malware researcher at CyberArk Labs.\r\nSource: https://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers\r\nhttps://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers" ], "report_names": [ "uno-reverse-card-stealing-cookies-from-cookie-stealers" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434486, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5dbfe2946a6b225e8068589bc83d047bee2b4f9e.pdf", "text": "https://archive.orkl.eu/5dbfe2946a6b225e8068589bc83d047bee2b4f9e.txt", "img": "https://archive.orkl.eu/5dbfe2946a6b225e8068589bc83d047bee2b4f9e.jpg" } }