Arkanix Stealer: AI-assisted info-stealer shuts down after brief campaign

Arkanix Stealer surfaced in late 2025 as a short-lived info-stealer, likely built as an AI-assisted experiment and quickly abandoned.

Arkanix Stealer emerged in late 2025 as a short-lived information-stealing malware promoted on dark web forums. Researchers believe it was likely created as an AI-assisted experiment, suggesting the operators were testing automated development techniques rather than running a long-term, large-scale cybercriminal operation.

In October 2025, Kaspersky researchers spotted dark web ads for ‘Arkanix Stealer,’ a MaaS offering with a control panel and configurable payloads. It used a C++ build embedding ChromElevator to steal system and crypto wallet data, plus a packed Python version with dynamic configuration. Likely spread via phishing-themed lures, the operation appeared short-lived, and its affiliate program was later shut down.

The ads include a link to a Discord server used as the primary communication channel.

The initial infection vector remains unclear, but phishing-themed loaders suggest social-engineering attacks. A Python loader downloads and runs the Arkanix stealer after installing required packages, registering the victim machine with its C2, and fetching the payload. The stealer supports dynamic feature updates from the panel and deploys an additional dropper before data theft. It collects extensive system details, browser data (passwords, cookies, crypto-related info), Telegram sessions, Discord credentials, VPN data, and selected user files, packing results into archives for exfiltration.

“This stealer is capable of extracting various types of data from supported browsers (22 in total, ranging from the widely popular Google Chrome to the Tor Browser). The list of supported browsers is hardcoded, and unlike other parameters, it cannot be modified during execution.” reads the report published by Kaspersky. “In addition to a separate Chrome grabber module (which we’ll discuss later), the stealer itself supports the extraction of diverse information, such as:

• In case of Chromium-based browsers, 0Auth2 data is also extracted”
• Browser history (URLs, visit count and last visit)
• Autofill information (email, phone, addresses and payment cards details)
• Saved passwords
• Cookies”

Extra modules, including wallet tools and HVNC, can be decrypted and deployed. After completing operations, it deletes itself and related artifacts.

Researchers analyzed both debug and release builds of the native C++ Arkanix Stealer. The release version used VMProtect and the arkanix[.]pw C2, while the debug build relied on a Discord bot and extensive logs. The malware supports anti-analysis checks, patches AMSI and ETW, and steals system, RDP, gaming, browser and screenshot data. It embeds the ChromElevator browser extractor for credential theft and encrypts exfiltrated data with AES-GCM + PBKDF2. The infrastructure observed by the experts included two domains behind Cloudflare hosting a protected panel that was taken offline later.

The group promoted the stealer via Discord with marketing tactics, a referral program and promises of a crypter, suggesting short-lived, possibly AI-assisted development.

“Referrers were promised an additional free hour to their premium license, while invited customers received seven days of free “premium” trial use.” continues the report. “As stated in forum posts, the premium plan included the following features:

• C++ native stealer
• Exodus and Atomic cryptocurrency wallets injection
• Increased payload generation, up to 10 payloads
• Priority support

The stealer targeted users of cryptocurrency, gaming, and online banking, collecting sensitive data. Likely aided by LLMs, it was a quick, one-shot campaign for fast gains. The developers ran a public forum with updates, surveys, and a referral program, making Arkanix appear more like a marketed software product than a hidden malware operation.

“While being quite functional, it contains probable traces of LLM-assisted development which suggests that such assistance might have drastically reduced development time and costs.” concludes the report. “Hence it follows that this campaign tends to be more of a one-shot campaign for quick financial gains rather than a long-running infection.”

Kaspersky provides a list of indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)