A new information-stealing operation called Arkanix Stealer appeared on dark web forums in late 2025 but vanished after only two months of activity. The project offered standard data theft capabilities through two tiers, a basic Python version and a premium C++ variant with advanced evasion features. Kaspersky researchers discovered evidence suggesting large language models assisted in the malware's development, potentially reducing creation time and costs significantly.
The operator established a Discord server for community engagement and implemented a referral program offering free premium access to promote the stealer. Arkanix targeted browsers, cryptocurrency wallets, VPN credentials, gaming platforms, and messaging applications like Telegram and Discord. The premium version included anti-sandbox checks, RDP credential theft, and ChromElevator, a tool designed to bypass Google's App-Bound Encryption protection.
Additional modules available through command-and-control servers expanded functionality to include HVNC, screenshot capture, and FileZilla data theft. Kaspersky characterized Arkanix as resembling a legitimate software product rather than typical underground malware. The sudden shutdown without warning suggests the project may have been a short-term experiment to test AI-assisted development efficiency and market viability. Researchers provided comprehensive indicators of compromise to aid detection of the now-defunct operation.
Read more...