Introduced in early 2023, Stealc is an emerging MaaS (Malware as a Service) infostealer based on the Vidar, Raccoon, Mars and Redline stealers. Stealc focuses on stealing sensitive data from web browser files, crypto wallets (both browser- and desktop-based), as well as account data from apps including Outlook and Telegram, in addition to employee file grabbing capabilities. Similar to most MaaS, the tool is customizable, allowing attackers to pick and choose the data they wish to pull from their victims’ machines.
Full Name: StealC
First Appearance: Feb 2023
Related Actor: Plymouth. He is known to be a highly responsive actor, very helpful and responsive to requests.

MaaS Subscription
StealC offers a monthly based subscription where the build is sold with a hard-coded expiration date. They also provide all assitance needed in installing and configuring the malware.
- $300- 1 Month
- $700- 3 Months
- $1000- 6 Months
StealC- Stealer Evolution
StealC was first published in February 2023 by an actor named Plymouth.
StealC 1.0
Published in February 2023, the original version of this infostealer, StealC 1.0, was written in Pure C using Windows API, and weighed approximately 80kb. The stealer promised collection flexibility, easily controlled from the control server. Users can add any browsers or applications they wish without the need for a build update.
This malware got regularly updated and was highly praised by the community, as Plymouth was one of the most helpful and responsive authors.
StealC 2.0
In March 2025, Plymouth announced the release of StealC V2, a 6 month long development which completly revamped the older version. This update mainly focused on higher encryption and improved collection and calculations.
The update also came with an aesthetic upgrade, improving C2 panel UI, removing unused filters, and a more intuitive Telegram Bot.
After the release of V2, Plymouth sold 5 copied of the original source code of V1, at 3000$ a copy.

XSS post offering the code for sale
StealC – Technical Capabilities
Programming Language: C++
Build Weight: appox. 80kb
StealC utilizes a JSON-based network protocol with RC4 encryption implemented in recent variants
Data Types Stolen
Operating Systems Targeted: Windows 7 x32 to Windows 11 x64.
CPU Targeted: x64
70+ Extensions:
MetaMask, TronLink, Opera Wallet, Binance, Yoroi, Coinbase, Guarda, Jaxx, iWallet, MEW CX, GuildWallet, Ronin Wallet, NeoLine, CLV, Liquality, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh, ICONex, Coin98, EVER, KardiaChain, Rabby, Phantom, Brave, Oxygen, Pali, BOLT X, XDEFI, Nami, Maiar DeFi Wallet, Keeper, Solflare, Cyano, KHC, TezBox, Temple, Goby, Ronin, Byone, OneKey, DAppPlay, SteemKeychain, Braavos, Enkrypt, OKX, Sender, Hashpack, Eternl, Pontem Aptos, Petra Aptos, Martian Aptos, Finnie, Leap Terra, Trezor Password Manager, Authenticator, Authy, EOS Authenticator, GAuth Authenticator, Bitwarden, KeePassXC, Dashlane, NordPass, Keeper, RoboForm, LastPass, BrowserPass, MYKI, Splikity, CommonKey, Zoho Vault, Account Tokens
20+ Cold wallets:
Bitcoin Core, Dogecoin, Raven, Daedalus, Blockstream Green, Wasabi, Ethereum, Electrum, Electrum-LTC, Exodus, Electron Cash, MultiDoge, Jaxx Desktop, Atomic, Binance, Coinomi, SafePal, Xverse, UniSat, Monero, Guarda, Komodo, Rise Aptos, Rainbow, Nightly, Ecto, Chia, Trust
23+ Browsers:
Chromium, Google Chrome, Chrome Canary, Amigo, Torch, Vivaldi, Comodo, EpicPrivacyBrowser, CocCoc, Brave, Cent, 7Star, Chedot, Microsoft Edge, 360, QQBrowser, CryptoTab, Opera, Opera GX, Opera Crypto, Mozilla Firefox, Pale Moon, Edge Canary, Edge Dev, Edge Beta
Applications:
- KeePass 2) 1Password 3) Bitwarden 4) NordPass 5) Telegram 6) FileZilla 7) TotalCommander 8) AnyClient 9) 3D-FTP 10) SmartFTP 11) FTPGetter 12) FTPbox 13) FTPInfo 14) FTPRush 15) FTP Commander Deluxe 16) FTP Manager Lite 17) Auto FTP Manager 18) OpenVPN 19) NordVPN 20) ProtonVPN 21) AnyDesk 22) Azure 23) Notes 24) Notezilla 25) TheBat 26) Pegasus 27) Mailbird 28) EmClient 29) Discord
Other:
Telegram, Discord, Tox, Pidgin, Steam, Microsoft Outlook, Thunderbird, screenshots
File grabber:
Easily configurable that supports various selections and depths.
Command & Control Server
The C2 center is downloaded by an installer script.
Logs are sent to the C2 center in chunks, to allow information to flow constantly and avoid data loss in case of antivirus detection. This entire process is encrypted for safer transfer.
The C2 panel allows the user to choose which files, browsers, and applications he wants the build to steal data from, along with other customization options.
Once parsed, the logs can be searched by IP, country, passwords, cookies, wallets, extensions, system information, log ID or the presence of crypto files. StealC also offers the option to send guest links in order to display statistics about your builds and have customers request specific files.
StealC – TTPs
Attack Vector
Delivery
StealC will usually use malicious advertising or malicious emails.
Installation
The file is downloaded through the delivery method by either a self extracting archive or a custom loader. It then employs several anti-VM, debugging, and sandbox techniques to evade analysis.
However, contrary to many popular stealers, it does not establish persistence, and is designed for “grab and go”. This is in order to reduce risk of detection.
The stealer enters a loop that attempts to open a named event in the computer’s environment. If this event exists, indicating another instance may be running, it doesn’t immediately terminate but instead waits approximately 4 seconds before checking again. Once it determines no such event exists, it attempts to create this named event itself, establishing its presence on the machine. And if this event creation fails, the stealer terminates itself.
For self-deletion, the stealer obtains its own executable path which allows it to creates a 5-second delay before attempting to forcibly and quietly delete the stealer’s executable, allowing the process to fully run before the deletion command executes.
Information Gathering
The build initially sends the HWID and a “create” command.
It later identifies the drive letter (usually C:) and then goes through a long, multi step process to create hashes which will be used throughout the data gathering process.
The build then validated the list of commands sent by the C2 panel and aborts if there are any missteps – lack of validation, blocked command, etc.
After validation, it runs all the commands and stores the information in a designated location, in a JSON format. The file is then sent back to the C2 server.
MITRE ATT&CK
Malware ID: No official MITRE ID
Since this malware has no official MITRE page as of June 2025, these are the techniques and tactics found on the OW and are updated to StealC V1.
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Execution | T1106 | Native API |
| Execution | T1059 | Command and Scripting Interpreter |
| Defense Evasion | T1622 | Debugger Evasion |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
| Credential Access | T1539 | Steal Web Session Cookie |
| Discovery | T1217 | Browser Information Discovery |
| Discovery | T1622 | Debugger Evasion |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1012 | Query Registry |
| Discovery | T1518 | Software Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1497 | Virtualization/Sanbox Evasion |
| Collection | T1119 | Automated Collection |
| Collection | T1005 | Data from Local System |
| Collection | T1113 | Screen Capture |
| Command & Control | T1132 | Data Encoding |
| Command & Control | T1105 | Ingress Tool Transfer |
| Exfiltration | T1020 | Automated Exfiltration |
| Exfiltration | T1041 | Exfiltration over C2 Channel |
StealC – Log Structure
Introduced in early 2023, Stealc is an emerging MaaS (Malware as a Service) infostealer based on the Vidar, Raccoon, Mars and Redline stealers. Stealc focuses on stealing sensitive data from web browser files, crypto wallets (both browser- and desktop-based), as well as account data from apps including Outlook and Telegram, in addition to employee file grabbing capabilities. Similar to most MaaS, the tool is customizable, allowing attackers to pick and choose the data they wish to pull from their victims’ machines.

Main compressed folder
The stealer log comes in a compressed folder
Device Folder
Each device has a dedicated folder following a specific naming format:(* used to divide and do not appear in the name
Country CodeIP*Local Time
Relevant files and folders
Each device folder contains several subfolders and txt files. It is important to note that not all the files contain all of the same subfiles.
The main relevant folders are highlighted in yellow
Relevant information
Each of the files contains the following relevant information that should be collected:
System_info.txt
This was claimed to be the name of the system file by the actor himself:

The actor mentioning the name of the system file
Passwords.txt
Cookies (Folder)