Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications
8 min. read 
Published on
OnyxC2 is a new malware-as-a-service stealer that targets credentials, cookies, password manager data, two-factor authentication extensions, cryptocurrency wallets, FTP clients, and email applications.
According to BlackFog, the tool targets roughly 210 applications and browser extensions. It is sold as a commercial-style cybercrime product with a web panel, payload builder, tiered pricing, and claims of strong antivirus evasion.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The malware matters because it does not stop at saved passwords. It can steal session cookies, 2FA-related browser extension data, crypto wallet information, autofill records, and other material that attackers can use to bypass normal account recovery and password reset defenses.
OnyxC2 Is Sold Like Commercial Software
OnyxC2 appeared on a cybercrime network in early 2026 and is marketed as a ready-made credential theft platform. Buyers can use the panel to build payloads, manage infected systems, review logs, and collect stolen data.
The base offer starts at $250 per month, with higher tiers unlocking more remote access features. BlackFog says the developer also advertises refunds if a build gets detected, which shows how professionalized the stealer market has become.
The malware is written in C++ and uses low-level techniques to evade security checks. Each build can be changed before delivery, making signature-based detection harder.
| OnyxC2 capability | What it targets | Why it matters |
|---|---|---|
| Browser credential theft | Chromium and Gecko-based browsers | Steals saved usernames, passwords, cookies, and autofill data |
| Password manager theft | Selected password managers | Can expose many accounts from one infected device |
| 2FA extension theft | Browser-based authentication extensions | Can weaken protections that rely on local browser extensions |
| Crypto wallet theft | Wallet apps and browser extensions | Can lead to direct financial theft |
| Remote access tools | Victim device sessions | Allows hidden control, screenshots, keylogging, file management, and proxying |
The Stealer Targets Browsers, Wallets, and Business Tools
OnyxC2 reaches 37 Chromium-based browsers and eight Gecko-based browsers. It also targets 95 Chromium extensions and 14 Gecko extensions, including six dedicated two-factor authentication extensions.
This behavior maps closely to MITRE ATT&CK T1555.003, which covers adversaries acquiring credentials from web browsers by reading browser-specific files and extracting saved login data.
BlackFog also reported support for five password managers, 17 cryptocurrency wallets, 11 FTP clients, and five email clients. That expands the risk from personal account theft to business systems used by finance, operations, IT, and web teams.
- Saved browser passwords can unlock personal and work accounts.
- Session cookies can let attackers access accounts without knowing the password.
- Autofill data can expose names, addresses, payment details, and internal forms.
- FTP and email credentials can expose websites, mailboxes, and business systems.
- Crypto wallet theft can cause immediate and irreversible financial loss.
Session Cookies Make Password Resets Less Effective
Credential stealers are dangerous because they often collect more than passwords. A stolen session cookie can let an attacker access an account that has already passed login checks.
MITRE ATT&CK T1539 tracks this tactic as stealing web session cookies. When attackers collect these cookies, they may reuse active sessions to access web services without needing to complete a fresh login.
That is why a simple password reset may not fully contain a stealer infection. Security teams also need to revoke active sessions, reset tokens, check OAuth grants, and review recent account activity.
| Stolen item | Possible attacker use | Recommended response |
|---|---|---|
| Password | Account takeover and credential stuffing | Reset password and check for reuse |
| Session cookie | Access without entering the password again | Revoke sessions and tokens |
| Autofill data | Identity theft and payment fraud | Review stored browser data and payment accounts |
| Crypto wallet data | Wallet draining | Move funds to a new secure wallet |
| FTP or email credentials | Website compromise or mailbox abuse | Rotate credentials and inspect logs |
Fake Installers Deliver the Malware
OnyxC2 has been delivered through fake installer packages that imitate legitimate software downloads. Reported lures included names tied to Fling-Standalone, FinePrint, SystemSettings.exe, and fake Windows update ZIP files.
The delivery chain uses password-protected archives. That tactic can reduce automated scanning because security tools often have limited visibility into locked archives before a user extracts them.
NSA, CISA, FBI, and MS-ISAC guidance on evolving phishing attacks warns that phishing can push users into clicking malicious links or attachments that execute malware. The same guidance recommends controls such as phishing-resistant MFA, attachment filtering, protective DNS, application allow-lists, and remote browser isolation.
DLL Sideloading Helps OnyxC2 Hide
The fake installer packages use DLL sideloading. In this technique, a legitimate signed program runs first, then loads a malicious DLL placed in the same folder.
MITRE ATT&CK T1574.002 describes DLL sideloading as a hijack execution flow technique where attackers use the way Windows applications search for and load DLL files to execute malicious code.
BlackFog says the OnyxC2 DLL was inflated past 120 MB and made to resemble an NVIDIA graphics library, with exported function names that looked legitimate. Large file size and encrypted payload content can make inspection harder for tools that skip oversized files or rely mainly on static signatures.
| Evasion method | How it helps attackers |
|---|---|
| Password-protected archives | Limit pre-execution scanning of the package contents |
| Signed host executable | Makes the first launched program look trusted |
| DLL sideloading | Runs attacker code through a trusted application path |
| Binary padding | Inflates the file size to reduce scanning coverage |
| Encrypted payload | Hides the final malicious code until runtime |
OnyxC2 Also Includes Remote Access Features
OnyxC2 is not only a grab-and-leave credential stealer. Its feature set also includes remote access capabilities that can help attackers control a compromised machine after the initial theft.
Reported modules include hidden virtual network computing, a keylogger, screenshot capture, file management, a reverse shell over HTTP, a reverse SOCKS5 proxy, and a Tor tunnel. These features can help operators continue spying on a victim even after stealing the first batch of credentials.
The browser theft component also reinforces why credentials from web browsers remain a major risk. Browsers often store passwords, payment details, cookies, and other account data in one place, making them high-value targets for stealers.
Reported Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| Domain | akmuniverstall[.]top | C2 and distribution domain reported by researchers |
| URL path | /backend/api/app.php | Default C2 endpoint path written by the builder |
| IP address | 104[.]18[.]20[.]213 | Cloudflare-fronted IP associated with C2 infrastructure |
| IP address | 104[.]21[.]46[.]39 | Cloudflare-fronted IP associated with C2 infrastructure |
| IP address | 172[.]67[.]223[.]39 | Cloudflare-fronted IP associated with C2 infrastructure |
| SHA-256 | 41999a3d0da035ff8068905c90235ea50121329cb0661e38d745974ebf5e3ae2 | Signed sideload host executable |
| SHA-256 | 78945c844fc23dd3446cf17987edeeb6cc21986820c92df82a126af24a5a38d1 | Malicious DLL sample |
| SHA-256 | d89bb4b23a67814ef511e4e9dda7ad36fa519a322fa7c25ea451c7dd7ef61e54 | Second malicious DLL sample |
| SHA-256 | f6e4b09ef788adef3f65fd2b99da8f5be5391be29471676dc07040a56c8fdfab | Password-protected ZIP delivery archive |
| Filenames | Fling-Standalone*, FinePrint*, SystemSettings.exe, fake Windows update ZIPs | Lure names used in fake installer packages |
How Organizations Can Reduce the Risk
Organizations should treat OnyxC2 as both a credential theft threat and a data exfiltration threat. Once a system runs the stealer, defenders should assume that browser data, saved passwords, cookies, wallet material, and local application credentials may no longer be safe.
Security teams should map detections to DLL sideloading, browser credential theft, session cookie theft, keylogging, screen capture, proxying, and command-and-control activity. Endpoint alerts should focus on suspicious child processes, unusual DLL loads, oversized DLLs, archive extraction from untrusted locations, and unexpected outbound traffic.
The BlackFog report recommends stopping data theft at the endpoint rather than relying only on file scanning. That approach matters because OnyxC2 tries to make the malicious file hard to detect before it starts sending stolen data out.
- Block users from running installers from temporary folders, downloads, and extracted archives when possible.
- Use application allow-listing for software installers and administrative tools.
- Disable browser password saving for high-risk roles and managed endpoints.
- Use phishing-resistant MFA and revoke sessions after suspected infection.
- Rotate passwords, API keys, wallet credentials, FTP accounts, and email credentials after exposure.
- Monitor outbound traffic for unusual uploads to unfamiliar domains and Cloudflare-fronted infrastructure.
Defenders should also respond to cookie theft as an active session compromise. Stolen web session cookies can keep attackers inside accounts even after password resets, so session revocation and token invalidation should be part of every response.
For prevention, the most useful controls are layered. The phishing guidance from U.S. security agencies supports the same direction: block malicious attachments and links early, reduce user execution paths, apply allow-lists, and use stronger authentication.
OnyxC2 shows how mature the stealer market has become. A low-cost subscription now gives criminals access to tools that can steal credentials from hundreds of applications, control infected systems, and move stolen data through encrypted channels.
FAQ
OnyxC2 is a malware-as-a-service credential stealer sold to cybercriminals. It targets browsers, password managers, two-factor authentication extensions, cryptocurrency wallets, FTP clients, email clients, and other applications.
Researchers say OnyxC2 targets roughly 210 applications and browser extensions, including Chromium and Gecko-based browsers, password managers, cryptocurrency wallets, FTP clients, email clients, and 2FA-related extensions.
Reported OnyxC2 delivery uses fake installer packages, password-protected archives, and DLL sideloading. A legitimate signed program runs first, then loads a malicious DLL placed in the same folder.
Stolen cookies can let attackers reuse active web sessions. That can allow account access even after a password reset unless the victim or administrator also revokes sessions and invalidates tokens.
Organizations should block untrusted installers, use application allow-listing, monitor DLL sideloading behavior, revoke active sessions after compromise, rotate exposed credentials, disable browser password saving where appropriate, and inspect unusual outbound data transfers.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages