As reported by Security Affairs, OnyxC2 has emerged as a new malware-as-a-service (MaaS) stealer, aggressively targeting a wide array of applications and employing sophisticated evasion techniques to avoid detection.
OnyxC2 is being sold on cybercrime forums for as little as $250 per month, with developers offering refunds if their builds are detected, highlighting confidence in its evasion capabilities. BlackFog researchers have identified that OnyxC2 targets over 210 applications, including numerous browsers, extensions, password managers, cryptocurrency wallets, FTP clients, and email clients. The stealer’s capabilities extend beyond credential harvesting, incorporating features like High-Volume Network Interface (HVNC), LSASS memory dumping, and a reverse SOCKS5 proxy. Delivery is achieved through DLL sideloading, where a malicious DLL is appended to legitimate content within a signed application, making it appear valid. The payload remains encrypted until runtime, further hindering detection. The package also includes pre-made lure installers to aid in distribution.
The MaaS model lowers the barrier to entry for malicious actors, providing a complete operational kit with evasion, panel access, and support, turning a single infection into persistent access across a user’s digital life.Source: Security Affairs
Laura French
SC Staff
SC Staff
OnyxC2 is being sold on cybercrime forums for as little as $250 per month, with developers offering refunds if their builds are detected, highlighting confidence in its evasion capabilities. BlackFog researchers have identified that OnyxC2 targets over 210 applications, including numerous browsers, extensions, password managers, cryptocurrency wallets, FTP clients, and email clients. The stealer’s capabilities extend beyond credential harvesting, incorporating features like High-Volume Network Interface (HVNC), LSASS memory dumping, and a reverse SOCKS5 proxy. Delivery is achieved through DLL sideloading, where a malicious DLL is appended to legitimate content within a signed application, making it appear valid. The payload remains encrypted until runtime, further hindering detection. The package also includes pre-made lure installers to aid in distribution.
The MaaS model lowers the barrier to entry for malicious actors, providing a complete operational kit with evasion, panel access, and support, turning a single infection into persistent access across a user’s digital life.Source: Security Affairs
Laura French
SC Staff
SC Staff
By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.
Related Terms
You can skip this ad in 5 seconds
Copyright © 2026 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms of Use.
Leave a Reply