CyberArk researchers have uncovered a critical XSS vulnerability in the web-based admin panel of the well-known info‑stealer StealC, and successfully turned it against the malware’s own operators. By exploiting insecure code in the management interface, the team collected technical details about attackers’ devices, their approximate geolocation, and even hijacked active sessions via stolen cookies.
StealC stealer: Malware-as-a-Service at scale
StealC appeared in early 2023 and rapidly became a visible player in the Malware-as-a-Service (MaaS) ecosystem. Info‑stealers of this class are designed to exfiltrate passwords, browser cookies, autofill data, crypto‑wallets and other sensitive information from infected systems, which are then resold or used in further attacks.
StealC gained popularity among cybercriminals due to its combination of evasion techniques and extensive functionality. The author has consistently extended the feature set, culminating in StealC V2 in 2024, which added Telegram bot support and a revamped builder. The builder enables operators to generate customized payloads based on templates and rules, specifying target data types and attack scenarios to maximize monetization.
XSS vulnerability in the StealC web panel
The turning point came when the source code of StealC’s administrative panel leaked online. This gave security researchers a rare opportunity to scrutinize the malware’s backend infrastructure. During this analysis, CyberArk identified a cross‑site scripting (XSS) vulnerability in the panel.
How XSS in StealC’s panel was weaponized
XSS occurs when an application fails to properly sanitize user input, allowing an attacker to inject arbitrary JavaScript into a web page. When a victim opens that page, the script runs in their browser with their session context. In StealC’s case, the vulnerable interface allowed researchers to embed scripts that executed directly in the browsers of StealC operators every time they accessed the admin panel.
According to CyberArk, the exploit enabled detailed browser and device fingerprinting, monitoring of active sessions, and theft of session cookies. With these cookies, researchers could hijack authenticated admin sessions without knowing the underlying credentials. Specific exploit details were intentionally withheld to prevent rapid patching and limit copycat abuse.
Deanonymizing StealC operators via technical telemetry
By leveraging the XSS flaw, CyberArk collected a substantial data set on several StealC operators: device models and architectures, language settings, time zones, and coarse geolocation information. Access to session cookies further allowed takeovers of live admin sessions within the StealC panel, providing deep visibility into attackers’ workflows.
One notable case involved an operator using the alias YouTubeTA. Analysis showed activity from an Apple M3-based system configured with both English and Russian interfaces and operating in an Eastern European time zone. Some connections traversed Ukrainian network infrastructure, and at least one login to the StealC panel occurred without VPN protection, exposing a real IP address tied to Ukrainian ISP TRK Cable TV.
YouTubeTA: compromising YouTube channels with pirated software lures
Data captured from the compromised sessions revealed that YouTubeTA focused on hijacking legitimate YouTube channels. The operator most likely used previously stolen credentials to access dormant but reputable channels with existing audiences.
After seizing control, the attacker uploaded videos containing links to malicious loaders disguised as popular pirated software. Screenshots from the YouTubeTA control panel indicate that the highest infection volumes targeted users searching for illegal copies of Adobe Photoshop and Adobe After Effects. Over the course of 2025, CyberArk estimates that this single operator harvested more than 5,000 victim logs, including approximately 390,000 passwords and around 30 million cookies. While many cookies were low value, the sheer volume significantly increased the likelihood of accessing high‑value accounts and sessions.
MaaS risks and key cybersecurity lessons
StealC exemplifies how MaaS platforms industrialize cybercrime: the malware author develops and maintains the tooling, while numerous operators focus on distribution, phishing, and monetization. Industry reports from leading security vendors consistently highlight info‑stealers as a primary driver of account takeover, business email compromise, and secondary intrusions.
CyberArk’s decision to publicly disclose the StealC XSS vulnerability is intended to undermine trust in the platform and disrupt its operations. For large MaaS ecosystems, even targeted blows to backend infrastructure can have an outsized effect: operators lose confidence, support and updates slow down, and the service becomes less attractive on underground markets.
For organizations and end users, this incident reinforces several critical security practices. First, downloading pirated software remains one of the most common infection vectors for info‑stealers; search queries such as “download Photoshop for free” are directly associated with high malware risk. Second, using password managers, multi‑factor authentication (MFA), and regular clearing of browser cookies and sessions substantially reduces the impact of credential theft and cookie hijacking. Third, businesses increasingly need continuous threat hunting and credential leak monitoring to detect compromised accounts before they are abused at scale.
The StealC case demonstrates that even mature criminal ecosystems are vulnerable to technical countermeasures and analytic pressure from the cybersecurity community. Systematic investment in proactive research, malware infrastructure analysis, and intelligence sharing increases the likelihood of identifying and destabilizing MaaS platforms before they reach mass‑adoption in the cybercrime market. Organizations and users alike should treat this incident as a practical incentive to revisit their cyber hygiene, harden authentication processes, and prioritize early detection of info‑stealer activity in their environments.
