The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

StealC Evolves

May 12, 2025 3:01:20 PM / by The Hivemind

StealCRelated Families: Amadey

Executive Summary

StealC V2, a sophisticated evolution of the StealC information stealer, introduces enhanced payload delivery, RC4 encryption, and a redesigned control panel, posing significant risks to organizations.

Key Takeaways

  • StealC V2 employs RC4 encryption for command-and-control (C2) communications, enhancing its evasion capabilities.
  • The malware supports diverse payload delivery methods, including MSI packages and PowerShell scripts.
  • A new control panel allows operators to tailor payloads based on geolocation, hardware IDs, and installed software.
  • StealC V2 is frequently deployed alongside the Amadey malware loader, amplifying its distribution.

What is StealC V2? 

StealC, an information stealer and malware downloader first identified in January 2023, has undergone a significant transformation with the release of version 2 in March 2025. Zscaler’s ThreatLabz has tracked these changes, revealing a malware strain that has bolstered its stealth, flexibility, and data theft capabilities. Written in C++, StealC V2 leverages advanced obfuscation and encryption to evade detection, making it a formidable threat.

The updated StealC V2 introduces a streamlined command-and-control (C2) communication protocol, now fortified with RC4 encryption in its latest iterations. This encryption, initially commented out in early V2 releases, secures network communications and complicates interception efforts. The malware employs a two-stage string deobfuscation process, with critical strings decrypted using a hardcoded RC4 key during execution. This, combined with Themida packing—a commercial code protection tool—hinders reverse engineering, a tactic consistent with StealC V1 but refined in V2.

Payload delivery has been significantly enhanced, offering operators flexibility through executable files (EXE), Microsoft Software Installer (MSI) packages, and PowerShell scripts. These options enable tailored attack chains, with payloads compiled for 64-bit systems and featuring dynamic API resolution to further obscure malicious activities. A self-deletion routine adds to its evasiveness, reducing forensic footprints. The redesigned control panel is a standout feature, integrating an embedded builder that allows operators to customize payload delivery based on geolocation, hardware IDs, and installed software. This granularity enables precise targeting, increasing the malware’s effectiveness.

StealC V2’s data theft capabilities have also expanded. It now supports multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credential extraction. Additional features include Telegram bot integration for real-time operator alerts and the ability to bypass Chrome’s App-Bound Encryption for cookie theft, facilitating Google account hijacking. The control panel supports sophisticated filtering, allowing operators to block communications based on IP addresses, IP masks, or HWIDs, with automated IP blocking after communication completion. Early versions employed a fake 404 error page to evade C2 server detection, though this was patched after researchers identified it as a detection vector.

Frequently deployed via the Amadey malware loader, StealC V2 has been observed in large-scale malvertising campaigns and attacks exploiting browser vulnerabilities. Its modular design and rapid updates, evidenced by minor releases up to version 2.2.4, demonstrate active development and adaptability. PolySwarm analysts consider StealC V2 to be an evolving threat.

IOCs

StealC V2

PolySwarm has multiple samples of StealC V2.

 

0b921636568ee3e1f8ce71ff9c931da5675089ba796b65a6b212440425d63c8c 

e205646761f59f23d5c8a8483f8a03a313d3b435b302d3a37061840b5cc084c3 

a1b2aecdd1b37e0c7836f5c254398250363ea74013700d9a812c98269752f385 

27c77167584ce803317eab2eb5db5963e9dfa86450237195f5723185361510dc 

 

You can use the following CLI command to search for all StealC V2 samples in our portal:

$ polyswarm link list -f StealCV2

 

Amadey

PolySwarm has multiple samples of Amadey.

 

dd36c7d50cb05761391a7f65932193ec847d34f8ba1bb2f2a43ecf4985d911f4 

87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f 

 

You can use the following CLI command to search for all Amadey samples in our portal:

$ polyswarm link list -f Amadey

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Stealer, Evolving Threat, StealC, StealCV2, Amadey

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More