Cybercriminals never rest—and neither does malware. Stealc, one of the most notorious malicious software tools of recent years, has made a troubling leap in its evolution. The creators of this lightweight infostealer (capable of stealing information and downloading other types of malware) released its second major version in March 2025, introducing significant improvements in stealth and data theft. Although it first became available on the dark web in 2023 with subscription prices starting at just $200 per month, its sophistication and reach have continued to grow steadily.
Throughout 2024, Stealc was at the center of large-scale malvertising campaigns and attacks that locked systems into unavoidable kiosk modes. By the end of that year, its developers proved the project remained highly active by adding a mechanism to bypass Chrome’s defenses against cookie theft—even enabling the regeneration of expired cookies to hijack Google accounts.
The latest version, 2.2.4, consolidates several bug fixes and new capabilities that reinforce its status as a critical threat. Understanding how Stealc works and what makes it so effective is the first step to protecting both your personal information and the digital assets of any organization.
What’s New in the Latest Version?
Version 2 of Stealc (and its subsequent releases) debuted in March 2025 and, according to a recent analysis, introduced several major improvements:
-
It can now deliver its payload using EXE files, MSI packages, and even PowerShell scripts. Additionally, payload activation is configurable, giving attackers greater control.
-
RC4 encryption has been implemented for both code strings and communications with its command and control (C2) server. To make detection even harder, C2 responses include random parameters.
-
On a technical level, the architecture and execution methods have been improved. The new payloads are compiled for 64-bit systems, resolve API functions in real time, and even feature a self-deletion routine to erase traces.
-
An integrated builder has been added, allowing attackers to easily create new Stealc variants using templates and customizable data theft rules.
-
It now supports Telegram bots, enabling attackers to receive real-time alerts about their victims.
-
As if that weren’t enough, a feature has been added to capture desktop screenshots from victims—even those using multiple monitors.
New StealC v2 Administration Panel (Source: Zscaler)
But not everything was added. Some important features were also removed, such as the anti-VM checks (which detected if the malware was running in a virtual machine) and the ability to download and execute DLLs.
This could be an attempt to make Stealc faster and more efficient. Although, to be honest, it’s also possible that these features were removed because the code was significantly overhauled and they might return—improved—in future versions.
StealC C2 Communication Flow
In the most recent attacks, Stealc has been deployed using Amadey, a well-known malware loader. However, different attackers may vary both in how they distribute it and in the tactics they use during the attack.
Read more: How and where do hackers hide their malware code?
Conclusion
Stealc has proven to be much more than just another fleeting piece of malware. With each new version, its creators not only fix bugs but also refine its capabilities to evade defenses and maximize data theft. Its constant evolution and ease of customization make it a serious threat to both regular users and businesses alike.
If you want to keep your data safe from this type of information-stealing malware, avoid storing sensitive data in your browser, even if it seems more convenient. Additionally, always enable multi-factor authentication on your accounts and never download pirated software or anything from untrusted sources.
