I StealC You: Tracking the Rapid Changes To StealC
Summary:
StealC V2 is the latest version of the information stealer and malware downloader originally introduced in January 2023, with significant upgrades released in March 2025. This new version features a revamped control panel with an embedded builder, enhanced payload delivery methods including support for MSI packages and PowerShell scripts and an upgraded, JSON-based command-and-control communication protocol now encrypted with RC4. It also introduces advanced features like multi-monitor screenshot capture, a unified file grabber targeting various applications, and server-side brute-force credential theft. Operators can define payload rules based on geolocation, hardware IDs, and installed software, while new capabilities like Telegram bot integration and automated blocking based on IP or HWID add to its flexibility and control.
Technically, StealC V2 is packed using Themida to evade reverse engineering and employs multi-stage string obfuscation. Its execution flow includes validation checks to prevent analysis in CIS-based environments and uses specific Windows API libraries to support its functions. The malware’s payload types EXE, MSI, and PowerShell scripts are executed using distinct methods, with retry mechanisms for MSI and EXE, but not for PowerShell. Communication with the C2 server is now more dynamic, utilizing unique random values in each message to avoid detection through static signatures. Responses from the server define behavior such as data exfiltration, plugin activation, and self-deletion.
The control panel's builder facilitates creating customized malware builds by merging rules and markers into template binaries, while update mechanisms allow operators to install newer versions by submitting installation details to the StealC support team. Updates are packaged in ZIP files containing binaries and configuration files, with version control and patching handled via JSON files. Comparative analysis of builder templates shows a progressive adoption of encryption, obfuscation, and additional payload support across versions 2.0.0 to 2.2.4.
Security Officer Comments:
StealC V2 is actively distributed through other malware like Amadey and is under ongoing development, with newly added features such as server-side self-deletion commands and improved download mechanisms. Its infrastructure also includes anti-analysis techniques like fake 404 error pages to evade detection, although some of these have been patched after researcher discovery.
Suggested Corrections:
IOCs:
https://www.zscaler.com/blogs/secur...hanges-stealc#indicators-of-compromise--iocs-
To mitigate threats from StealC V2, organizations should implement a layered security strategy focused on both detection and prevention. Endpoint protection platforms should be updated to recognize the latest StealC V2 indicators of compromise, including file hashes and known C2 infrastructure. Network monitoring tools should be configured to flag anomalous HTTP traffic on port 80, particularly JSON-based communications with unusual payloads or patterns resembling StealC’s C2 protocol. It is critical to enforce strong application whitelisting and disable scripting languages like PowerShell where unnecessary, or at minimum, apply constrained language mode and logging policies to detect misuse. Email filtering should be hardened to block phishing attempts and malicious attachments, especially MSI and script-based files. Organizations
Link(s):
https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc
StealC V2 is the latest version of the information stealer and malware downloader originally introduced in January 2023, with significant upgrades released in March 2025. This new version features a revamped control panel with an embedded builder, enhanced payload delivery methods including support for MSI packages and PowerShell scripts and an upgraded, JSON-based command-and-control communication protocol now encrypted with RC4. It also introduces advanced features like multi-monitor screenshot capture, a unified file grabber targeting various applications, and server-side brute-force credential theft. Operators can define payload rules based on geolocation, hardware IDs, and installed software, while new capabilities like Telegram bot integration and automated blocking based on IP or HWID add to its flexibility and control.
Technically, StealC V2 is packed using Themida to evade reverse engineering and employs multi-stage string obfuscation. Its execution flow includes validation checks to prevent analysis in CIS-based environments and uses specific Windows API libraries to support its functions. The malware’s payload types EXE, MSI, and PowerShell scripts are executed using distinct methods, with retry mechanisms for MSI and EXE, but not for PowerShell. Communication with the C2 server is now more dynamic, utilizing unique random values in each message to avoid detection through static signatures. Responses from the server define behavior such as data exfiltration, plugin activation, and self-deletion.
The control panel's builder facilitates creating customized malware builds by merging rules and markers into template binaries, while update mechanisms allow operators to install newer versions by submitting installation details to the StealC support team. Updates are packaged in ZIP files containing binaries and configuration files, with version control and patching handled via JSON files. Comparative analysis of builder templates shows a progressive adoption of encryption, obfuscation, and additional payload support across versions 2.0.0 to 2.2.4.
Security Officer Comments:
StealC V2 is actively distributed through other malware like Amadey and is under ongoing development, with newly added features such as server-side self-deletion commands and improved download mechanisms. Its infrastructure also includes anti-analysis techniques like fake 404 error pages to evade detection, although some of these have been patched after researcher discovery.
Suggested Corrections:
IOCs:
https://www.zscaler.com/blogs/secur...hanges-stealc#indicators-of-compromise--iocs-
To mitigate threats from StealC V2, organizations should implement a layered security strategy focused on both detection and prevention. Endpoint protection platforms should be updated to recognize the latest StealC V2 indicators of compromise, including file hashes and known C2 infrastructure. Network monitoring tools should be configured to flag anomalous HTTP traffic on port 80, particularly JSON-based communications with unusual payloads or patterns resembling StealC’s C2 protocol. It is critical to enforce strong application whitelisting and disable scripting languages like PowerShell where unnecessary, or at minimum, apply constrained language mode and logging policies to detect misuse. Email filtering should be hardened to block phishing attempts and malicious attachments, especially MSI and script-based files. Organizations
Link(s):
https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc