Arkanix Stealer: a C++ & Python infostealer

[Khushal]

Content source

https://securelist.com/arkanix-stealer/119006/

Arkanix Stealer operated as malware-as-a-service, with both C++ native and Python versions that can dynamically adjust features and exfiltrate browser data, crypto wallets, and system information, using a dedicated C2 panel

Arkanix Stealer targets a variety of data, offers a MaaS referral program

Kaspersky researchers analyze a C++ and Python stealer dubbed "Arkanix Stealer", which was active for several months, targeted wide range of data, was distributed as MaaS and offered referral program to its partners.

securelist.com

 

[Bot]

Your quote matches what Kaspersky’s Securelist report describes (published February 19, 2026): Arkanix is presented as a MaaS operation with a web-based control panel, and the authors observed both a native C++ stealer and a Python implementation with server-side configurable “features” (i.e., the operator can change what gets collected from the panel side). It also explicitly mentions bundling/using the post-exploitation browser tool “ChromElevator” in the native/C++ chain.

Notable technical details from the reports (high-level)

• MaaS + panel: Advertised on forums/Discord, with a panel offering configurable payload options/statistics (invite-code style access is mentioned in other writeups).
• Python chain: The “loader” downloads and executes the Python stealer, and the feature list can be refreshed from the server (dynamic config). Securelist also notes the loader installing Python packages (via pip) and contacting panel endpoints before pulling stealer.py.
• Native/C++ chain: Securelist describes ChromElevator being embedded and executed to extract Chromium browser data (cookies/logins etc.) by running within a browser process context (a common way to defeat newer browser protections).
• Targets: Browser data, crypto-wallet related data, and general system info are core goals; other writeups also describe additional “premium” theft items (VPN/Wi‑Fi/RDP/screenshot-type data depending on build/variant).

Defender takeaways (why this matters)

• Infostealers are often “account takeover accelerators”: stolen cookies/session tokens can bypass MFA in some real-world scenarios if sessions aren’t revoked.
• Because Arkanix can adjust features, “what was stolen” may differ per victim/build, so response should assume broad credential/session exposure until proven otherwise.

If someone suspects they ran an Arkanix sample

• Isolate the device (network off) and preserve evidence if needed (business environment).
• From a clean device: change passwords for email, password manager, major accounts; revoke active sessions where possible.
• Assume browser-stored data (saved passwords/cookies) may be compromised; consider a full OS reinstall for high confidence cleanup (common best practice after infostealers).
• For crypto: move funds to fresh wallets/keys (don’t just change passwords).
• Scan with a reputable AV/EDR, and consider submitting the sample to VirusTotal for community/vendor visibility (don’t rely on a single engine verdict).

References

• Arkanix Stealer targets a variety of data, offers a MaaS referral program
• Arkanix: New Infostealer grabs Browser Data, Wifi Logins, Cryptowallets

 

[ForgottenSeer 123960]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1204.002
User Execution: Malicious File
(Assumed based on decoy filenames like discord_nitro_code_validator_right_aligned.py).

T1059.006
Command and Scripting Interpreter: Python.

T1552.001
Credentials In Files
(Extracting from %LOCALAPPDATA% and %USERPROFILE%\Documents).

T1539
Steal Web Session Cookie
(via ChromElevator integration).

T1547.001
Registry Run Keys / Startup Folder
(HVNC module drops to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\hvnc.py).

CVE Profile
N/A [No explicit CVE utilized; the malware relies on credential extraction and App-Bound Encryption bypass].

Telemetry

Hashes
af8fd03c1ec81811acf16d4182f3b5e1
(Python Version)

a3fc46332dcd0a95e336f6927bae8bb7
(C++ Native Version)

3283f8c54a3ddf0bc0d4111cc1f950c0 (ChromElevator payload)

Network Indicators
195.246.231[.]60
172.67.186[.]193
arkanix[.]pw
arkanix[.]ru.

Targeted Paths
%LOCALAPPDATA%\Arkanix_lol\, %APPDATA%\Roaming\Telegram Desktop\tdata, %TEMP%\upd_{random_8_byte_name}.py.

Constraint
The structure of the downloaded "dropper" payload suggests additional secondary execution capabilities, but lacking the binary, its exact root-level modifications remain unverified.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response protocols for credential compromise; notify legal and compliance regarding potential PII/financial data exposure from stolen browser data.

DETECT (DE) – Monitoring & Analysis

Command
Query SIEM/EDR for network connections to arkanix[.]pw and arkanix[.]ru.

Command
Hunt for process execution anomalies involving python.exe executing scripts from %TEMP% or dropping files into the Arkanix_lol directory.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected endpoints from the corporate network to halt active data exfiltration.

Command
Terminate unauthorized python.exe processes and remove the ArkanixStealer.exe binary.

RECOVER (RC) – Restoration & Trust

Command
Force a global password reset and revoke all active session tokens (0Auth2, SSO) for impacted users, as cookies have been compromised.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Restrict execution of Python scripts from user-writable directories (e.g., %TEMP%, %APPDATA%) using AppLocker or Windows Defender Application Control (WDAC).

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately. Arkanix actively streams ZIP archives of your personal files, browser histories, and crypto wallets to a remote server.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords and MFA tokens using a known clean device (e.g., your mobile phone on a cellular network). Focus on cryptocurrency wallets, Discord, Steam, and email accounts first, as these are actively parsed by the stealer.

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\), and Browser Extensions for unauthorized entries like hvnc.py. Run a full system scan with a reputable antivirus.

Hardening & References

Baseline
CIS Benchmarks for Windows 10/11 (Enforce AppLocker rules to block unsigned executables and scripts in user profiles).

Framework
NIST CSF 2.0 / SP 800-61r3.

Threat Intelligence
Rely on behavioral monitoring for App-Bound Encryption bypass techniques (e.g., ChromElevator injections) as traditional file-based signatures are often evaded by the Python variant's memory-resident execution.

Source
Securelist