OnyxC2 Malware-as-a-Service Offers Enterprise-Grade Data Theft
OnyxC2 Malware-as-a-Service Offers Enterprise-Grade Data Theft
OnyxC2 is a MaaS stealer targeting over 210 applications, utilizing DLL sideloading, encrypted payloads, and remote access features to evade detection. This malware surfaced on a cybercrime forum earlier this year and is available as a subscription service: $250 per month for the standard build, $500 for the premium tier that includes HVNC, and $6,000 for outright source code purchase. The developers are so confident in their evasion capabilities that they offer refunds if a build gets detected. BlackFog researchers obtained and analyzed two samples, detailing the stealer’s comprehensive capabilities.
The target list includes:
- 37 Chromium-based browsers
- 8 Gecko-based browsers
- 95 Chromium extensions
- 14 Gecko extensions (including 6 dedicated two-factor authentication extensions)
- 5 password managers
- 17 cryptocurrency wallets
- 11 FTP clients
- 5 email clients
- Various VPN, remote access, messaging, note-taking, and gaming applications.
According to the report published by BlackFog, “A stealer that scrapes password managers and 2FA extensions alongside saved logins is built to collect the credentials and session material that survive a password reset.” One infected host visible in the operator panel had already handed over 55 saved passwords, 4,717 cookies, 719 autofill entries, 2 payment cards, and a cryptocurrency wallet.
The delivery mechanism is particularly interesting. Inside the build is a legitimate application carrying a valid Authenticode signature, which scores zero detections across 71 antivirus engines on VirusTotal. Accompanying it is a DLL disguised as an NVIDIA graphics library, with the malicious payload appended after legitimate content, making the file appear valid at a glance. When the victim runs the installer, the malicious DLL loads simultaneously via sideloading. The payload remains encrypted until runtime, ensuring nothing is detectable on disk before execution begins. “Both delivery archives came back clean on their first VirusTotal upload, and the malicious component inside them was still unflagged when we last checked on May 30, 2026,” states the report.
The remote access toolkit bundled with the stealer goes well beyond credential harvesting. It includes:
- HVNC over a web browser
- LSASS memory dumping
- RunPE execution both in memory and on disk
- A reverse SOCKS5 proxy
- Screenshot capture
- A keylogger
- A file manager
- A reverse shell over HTTP.
Persistence is what converts a one-time infection into prolonged access. OnyxC2 is designed to maintain its foothold across sessions, meaning one compromised workstation doesn’t yield a snapshot of credentials at a single point in time. Instead, it provides continuous access to everything that workstation interacts with: browsers, password managers, 2FA tokens, email, FTP sessions, VPN credentials, and cryptocurrency wallets, refreshed as the victim continues working. “A stealer with this reach turns one compromised workstation into standing access across a person’s working life,” concludes the report.