Researchers exploited a flaw in StealC malware panels, hijacking attacker infrastructure and exposing stolen data and operator activity.

Continue reading
Security researchers have successfully exploited a vulnerability in StealC’s web-based control infrastructure, enabling them to monitor and hijack active malware operator sessions and gather detailed intelligence on threat actors.
The breakthrough came through a cross-site scripting (XSS) flaw in the administration panel used by StealC operators to manage infected endpoints, view credentials harvested from victims, and deploy new builds of the malware.
StealC is a malware-as-a-service (MaaS) info-stealer that has been active in underground cybercrime markets since early 2023. It gained traction due to its:
Operators typically use a control panel to manage multiple deployed instances of StealC, inspect stolen credentials, and maintain persistence across compromised machines.
The pivot in this campaign started when portions of StealC’s source code — including its web management panel — were leaked. That leak enabled defenders to audit the malware’s backend and discover weaknesses in its design.
Among those was a classic XSS vulnerability in the panel’s session handling logic. By exploiting that flaw, researchers were able to:
This type of flaw ordinarily targets user browsers, but in this context it allowed defenders to actually take over the malware operators’ web interface — leveraging the attackers’ own tools against them.
There’s striking irony in the scenario: malware designed to steal credentials from victims had its own session and credential controls inadequately hardened, leading to its operators being exposed.
According to supplementary reporting, in at least some cases defenders were able to attribute activity patterns to individual operators — including unique hardware fingerprints and login behaviors — providing rare visibility into the human side of a malware network.
One researcher report even identified an operator using the alias “YouTubeTA,” whose panel contained logs of hundreds of thousands of stolen credentials and millions of session tokens, illustrating the scale of data exfiltration tied to StealC infrastructure.
The hijacking of StealC panels is more than a curiosity. It highlights several broader issues for defenders and incident responders:
Attack infrastructure is often developed rapidly with minimal operational security. Leaked code and reuse of standard web frameworks can create exploitable flaws defenders can turn into intelligence sources.
Even basic input-validation flaws like XSS can have outsized impact when they exist in admin panels or management consoles — whether for legitimate software or criminal tooling.
Capturing metadata like browser fingerprints, session histories, and hardware profiles allows defenders to go beyond malware signatures and observe attacker behavior patterns directly.
While most defenders won’t be probing criminal infrastructure directly, the StealC episode reinforces a few defensive best practices that matter in enterprise contexts as well:
In a rare twist, defenders were able to use a malware ecosystem’s own web panels against the attackers themselves. By exploiting an XSS flaw in StealC’s control infrastructure, researchers gained visibility into ongoing malicious operations and operator footprints in a way that traditional malware analysis rarely provides.
This case shows that offensive tools are not always secure, and that careful research — combined with opportunistic analysis of leaked criminal code — can yield actionable insights that improve overall security intelligence.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.