OnyxC2 Stealer – New threat turns browsers into data warehouses for cybercriminals
Campaign summary
The arrival of OnyxC2 marks a notable step forward in the Malware-as-a-Service (MaaS) market. More than just a traditional infostealer, OnyxC2 is built as a complete platform for cybercriminals with the ability to steal data from over 210 applications, including browsers, cryptocurrency wallets, password managers and multi-factor authentication (MFA) utilities. Notably, this service is offered for only about 250 USD/month, making attack capabilities previously only available to professional APT or ransomware groups more accessible to those with low technical skills.
Background: Malware-as-a-Service boom
In the last few years, the MaaS model has completely changed the cybercrime ecosystem. Instead of developing malicious code themselves, attackers can now rent or buy tools complete with administrative interfaces, technical support and periodic updates.
OnyxC2 is a typical example of this trend. According to the researchers, the platform offers:
Control Panel
Builder creates custom payload
Remote Access function (Remote Access)
Campaign management system
Customer support and update mechanism
This business model significantly lowers the barrier to entry for cybercriminals, similar to how Ransomware-as-a-Service has fueled the explosion of ransomware groups in recent years.
Possibility of large-scale data theft
The most worrying point of OnyxC2 is its extremely wide data collection scope. Studies show that this malware is capable of targeting more than 210 different applications and extensions, including:
Google Chrome
Microsoft Edge
Mozilla Firefox
Brave Browser
Opera
Các trình quản lý mật khẩu
Ví tiền điện tử
Tiện ích MFA
Cookie trình duyệt
Session token
Thông tin đăng nhập đã lưu
The ability to steal session tokens is especially dangerous because it allows attackers to gain access to accounts even if the victim has enabled MFA. In many cases, changing passwords after being compromised is not enough to disable active login sessions that have been stolen.
Techniques to avoid detection
One of the factors that makes OnyxC2 stand out from many other stealers is the level of investment in evasion techniques.
DLL Sideloading
BlackFog detected OnyxC2 using DLL sideloading technique by:
Use a legitimate, digitally signed executable.
Download malicious DLLs disguised as NVIDIA libraries.
Execute malicious code through legitimate application DLL loading.
This helps malware avoid many traditional application control mechanisms.
Encrypted payload
The entire payload is encrypted to:
Avoid detection by AV/EDR.
Reduced static analysis capabilities.
Makes it difficult to create identification signatures.
In-Memory Execution
Part of the malicious code is executed directly in memory instead of being written to disk, reducing the possibility of being detected by security solutions based on file scanning.
Abnormal DLL size
Researchers noted the malicious DLL sample was over 120 MB in size, a tactic used to make sandboxing and automated analysis difficult.
OnyxC2's Command & Control (C2) mechanism
C2's role in the attack chain
For modern infostealers, the Command & Control (C2) server not only plays the role of receiving stolen data but is also the center coordinating the entire attack campaign.
With OnyxC2, the C2 infrastructure is designed according to the MaaS (Malware-as-a-Service) model, allowing many "customers" to use the same management platform but still separate victim data.
Once the payload is successfully executed on the victim device, the malware will:
Collect system identification information.
Create an identifier (Bot ID) for the device.
Establish a connection to the C2 server.
Get task configuration.
Transmit stolen data to the management system.
Typical C2 communication sequence
Unlike many older stealers that only send ZIP files containing stolen data, OnyxC2 operates almost like a RAT platform, allowing administrators to monitor device status in real time.
Communication technique via HTTPS
OnyxC2 uses the HTTPS protocol to:
Disguise malicious traffic as normal web traffic.
Bypass firewall control mechanisms.
Avoid detection by IDS/IPS solutions that only inspect unencrypted traffic.
The data commonly sent includes:
Browser credentials
Session cookies
MFA artifacts
Crypto wallet information
System inventory
Because of the use of TLS, it is difficult for traditional network devices to inspect packet contents.
Why is OnyxC2 more dangerous than traditional stealers?
Previous stealer lines such as Lumma, RedLine or Raccoon mainly focused on: Credential harvesting, Cookie theft, Crypto wallet theft.
Meanwhile, OnyxC2 is approaching the line between stealer and RAT (Remote Access Trojan). In addition to data theft, this platform also offers:
Remote desktop functionality
File management
Ability to download additional payloads
Control the device remotely
This turns a simple information theft campaign into a stepping stone for:
Ransomware deployment
Business Email Compromise (BEC)
Cloud account takeover
Lateral movement in the corporate environment
Strategic perspective: The problem is no longer about passwords
CybelAngel points out a notable fact: OnyxC2's success does not come from exploiting zero-day vulnerabilities but from taking advantage of long-standing "defaults" in the digital ecosystem.
Modern browsers save:
Password
Cookies
Session tokens
Autofill data
Some MFA information
Even when organizations implement MFA, storing session tokens on users' machines still creates opportunities for infostealers like OnyxC2.
This reflects the general trend of the current cyberattack industry: instead of finding ways to break authentication mechanisms, attackers focus on stealing already authenticated login sessions.
Impact on businesses
If a terminal is infected with OnyxC2, consequences may include:
Pharse 1: Credential Theft
Email account
VPN
SaaS
Cloud platform
Pharse 2: Session Hijacking
Skip MFA
Access internal system
Pharse 3: Post-Compromise Activities
Deploy ransomware
Data theft
Blackmail
Horizontal movement in the network
This is an attack pattern that has been observed in many large campaigns involving other infostealers such as Lumma in the period 2024–2025.
Recommended
Do not save passwords in the browser
OnyxC2 is designed to collect data from popular browsers such as Chrome, Edge, Firefox and Brave.
Recommendation:
Limit use of the browser's "Save Password" feature.
Use a dedicated password manager like Bitwarden, 1Password or KeePass.
Delete saved passwords that are no longer in use.
Enable MFA but do not rely entirely on it
OnyxC2 is capable of stealing authenticated cookies and session tokens.
This means:
- An attacker can hijack the login session without knowing the password or OTP code.
Recommendation:
Prioritize using Passkey when the service supports it.
Regularly log out of important accounts.
Check active login sessions on Google, Microsoft, Facebook and other services.
Be careful with attachments and software of unknown origin
Many current stealer distribution campaigns take advantage of:
Cracked software
Game hacking tool
Activator
Documents attached to phishing emails
Simple rule:
- If a free software promises to unlock paid features, chances are you're paying with your own data.
Update operating system and software regularly
Security patches help reduce the risk of malware exploiting known vulnerabilities.
Need to ensure:
Windows Update is always enabled.
The browser is updated to the latest version.
Security software works normally.
Monitor accounts for unusual signs
Some signs that an account may have had its session stolen:
Login from strange location.
Receive security warnings from Google or Microsoft.
Unrecognized login sessions appear.
Emails or messages sent without your doing so.
When detecting unusual signs:
Change your password immediately.
Sign out of all devices.
Revoke active login sessions.
Re-enable MFA if necessary.
For business users
Employees need:
Don't use work accounts on unmanaged personal devices.
Do not install software that has not been approved by the IT department.
Report immediately when you detect suspicious emails or devices showing signs of being infected with malicious code.
Conclusion
OnyxC2 shows that the cybercrime market is shifting from single tools to complete MaaS platforms with low costs but increasingly sophisticated attack capabilities. Targeting more than 210 applications, combined with advanced evasion techniques such as DLL sideloading, encrypted payloads, and in-memory execution, makes OnyxC2 one of the most notable infostealers to appear in 2026. More importantly, this threat reflects a larger trend: attackers are no longer focused on breaking authentication mechanisms but are shifting to stealing authenticated login sessions and data. available, making traditional protections based on passwords and MFA alone increasingly less effective.
MITRE ATT&CK Mapping: OnyxC2 Stealer
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing | T1566 | Potentially distributed through phishing emails or malware delivery campaigns |
| Execution | User Execution | T1204 | Requires the victim to execute a malicious file |
| Execution | Command and Scripting Interpreter | T1059 | Executes commands and scripts to support malware operations |
| Defense Evasion | Obfuscated/Encrypted File | T1027 | Uses encrypted payloads to evade AV/EDR detection |
| Defense Evasion | DLL Side-Loading | T1574.002 | Abuses legitimate executables to load malicious DLLs |
| Defense Evasion | Masquerading | T1036 | Disguises malicious DLLs as NVIDIA components or legitimate software |
| Defense Evasion | Reflective Code Loading | T1620 | Executes malicious code directly in memory |
| Credential Access | Credentials from Password Stores | T1555 | Steals credentials from browsers and password managers |
| Credential Access | Credentials from Web Browsers | T1555.003 | Extracts saved passwords from Chrome, Edge, Firefox, Brave, and other browsers |
| Credential Access | Multi-Factor Authentication Interception | T1111 | Collects MFA-related data and authentication tokens |
| Credential Access | Steal Web Session Cookie | T1539 | Steals authenticated web session cookies |
| Collection | Data from Local System | T1005 | Collects data stored on the victim's device |
| Collection | Archive Collected Data | T1560 | Aggregates and archives stolen data before exfiltration |
| Discovery | System Information Discovery | T1082 | Gathers information about the compromised system |
| Discovery | Process Discovery | T1057 | Enumerates running processes on the host |
| Discovery | Software Discovery | T1518 | Identifies installed software and targeted applications |
| Command and Control | Application Layer Protocol | T1071 | Communicates with C2 servers over HTTP/HTTPS |
| Command and Control | Encrypted Channel | T1573 | Uses encrypted channels for C2 communications |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Exfiltrates stolen data to command-and-control servers |
IOC
IP C2
104.18.20.213
104.21.46.39
172.67.223.39
SHA-256
41999a3d0da035ff8068905c90235ea50121329cb0661e38d745974ebf5e3ae2
78945c844fc23dd3446cf17987edeeb6cc21986820c92df82a126af24a5a38d1
d89bb4b23a67814ef511e4e9dda7ad36fa519a322fa7c25ea451c7dd7ef61e54
f6e4b09ef788adef3f65fd2b99da8f5be5391be29471676dc07040a56c8fdfab
Reference
OnyxC2 stealer sold as a service targets over 210 applications | brief | SC Media
Inside OnyxC2: The New Stealer Targeting 210 Apps | BlackFog
OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month - SecurityWeek
