- StealC panel contained an XSS flaw that let researchers capture system fingerprints, active sessions, and session cookies.
- Leaked panel source code and poor cookie protections exposed operator and customer data, including one actor’s IP and hardware details.
- A single customer, YouTubeTA, used YouTube to distribute the stealer and amassed thousands of logs, hundreds of thousands of passwords, and millions of cookies.
On Jan. 19, 2026, CyberArk researcher Ari Novick disclosed a cross-site scripting (XSS) flaw in the web control panel used by operators of the StealC information stealer, enabling collection of system fingerprints, session monitoring, and cookie theft, according to a report.
StealC first appeared in January 2023 as a Malware-as-a-service product that used YouTube to spread disguised cracked software. The malware later added features such as Telegram bot integration, improved payload delivery, and a redesigned administration panel known as StealC V2.
Weeks after the panel update, its source code was leaked, allowing researchers to analyze operator systems and retrieve active cookies, as detailed in an autopsy and a sample listing. XSS is a client-side injection that runs malicious JavaScript in a victim’s browser when sites fail to validate input, per MDN and a Fortinet explanation.
"By exploiting it, we were able to collect system fingerprints, monitor active sessions, and – in a twist that will surprise no one – steal cookies from the very infrastructure designed to steal them," Novick wrote in the report. The panel lacked basic protections such as httpOnly flags on cookies, leaving session cookies exposed.
Analysis identified a prominent customer named YouTubeTA, which promoted cracked Adobe products on YouTube and gathered over 5,000 logs containing about 390,000 stolen passwords and more than 30 million stolen cookies. Many of those cookies were tracking or non-sensitive cookies rather than high-value credentials.
Researchers also found a single admin account using an Apple M3 machine with English and Russian settings. An operational mistake in mid-July 2025 — failing to use a VPN — revealed a real IP tied to TRK Cable TV, suggesting the operator is a lone actor in an Eastern European, Russian-speaking area.
CyberArk noted that weaknesses in the panel and cookie handling exposed customer data and that similar flaws in other malware services could let researchers and law enforcement gather actionable intelligence, as stated in their report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- MLK Day: NYSE, Nasdaq, Banks and USPS Closed, Futures Open!!
- Binance Australia relaunches AUD transfers after 2 years now
- XRP Plummets Amid Market Sell-Off, Down 4.1% Today – Selloff
- Ethereum usage soars; fees plunge, 30% staked, Buterin warns
- Trove Markets Sparks Backlash After Sudden Solana Pivot Now!
