Inside OnyxC2: The New Stealer Targeting 210 Apps

OnyxC2 emerged in early 2026 as a malware-as-a-service stealer sold on cybercrime networks for $250 monthly. The platform includes a web panel, payload builder, and tiered pricing structure with refund guarantees. Written in C++ with assembly for direct syscalls, it targets approximately 210 applications across nine categories: 45 browsers, 109 extensions including 2FA tools, 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, 5 email clients, and VPN/messaging applications. The stealer achieves 99% detection evasion through mutated builds and delivers via DLL sideloading using signed binaries. Higher tiers unlock remote access capabilities including HVNC, LSASS dumping, reverse SOCKS5 proxy, keylogging, and reverse shell. Distribution occurs through fake installers delivered as password-protected archives, with C2 communication over Cloudflare-fronted HTTPS to akmuniverstall.top.

Pulse ID: 6a301309d410a2c508c138d4
Pulse Link: https://otx.alienvault.com/pulse/6a301309d410a2c508c138d4
Pulse Author: AlienVault
Created: 2026-06-15 14:58:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#2FA #Browser #Cloud #CyberCrime #CyberSecurity #Email #HTTP #HTTPS #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Password #Proxy #SideLoading #VNC #VPN #Word #bot #cryptocurrency #hVNC #socks5 #AlienVault

OnyxC2 Malware Campaign Exploiting Fake Software Installers External Inbox CTIA

A Malware-as-a-Service (MaaS) campaign using OnyxC2 is being used by threat
actors to steal credentials and sensitive data from over 210 applications. The campaign delivers infostealer malware through fake software installers and
uses evasion techniques to enable financial fraud and unauthorized access to accounts, systems and crypto assets.

Pulse ID: 6a2ce2ef1e1556ace79c78b3
Pulse Link: https://otx.alienvault.com/pulse/6a2ce2ef1e1556ace79c78b3
Pulse Author: cryptocti
Created: 2026-06-13 04:56:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #FinancialFraud #InfoSec #InfoStealer #MaaS #Malware #MalwareAsAService #OTX #OpenThreatExchange #bot #cryptocti

SilabRAT Trojan Targets Crypto Wallets with Session Hijacking

Meet SilabRAT, a sneaky Trojan that's been sold as a malware-as-a-service on dark web forums since late 2025, allowing cybercrooks to hijack crypto wallet sessions and swipe funds. For just $5,000 a month, attackers can get their hands on this powerful tool and start targeting unsuspecting crypto wallet users.

https://osintsights.com/silabrat-trojan-targets-crypto-wallets-with-session-hijacking?utm_source=mastodon&utm_medium=social

#Malwareasaservice #CryptoWalletMalware #SessionHijacking #Silabrat #Russia

SilabRAT, What's Your Power?

SilabRAT is an advanced Remote Access Trojan offered as Malware-as-a-Service on Darkweb forums since late 2025, developed by threat actor o1oo1 and sold for $5,000 monthly. This financially-motivated tool focuses on credential theft and cryptocurrency operations, featuring Hidden Virtual Network Computing for invisible remote control, browser profile cloning to bypass session protections, and automated cryptocurrency wallet password cracking. The RAT bypasses Chrome App-Bound Encryption, performs session hijacking, and includes keylogging, clipboard monitoring, and remote desktop capabilities. Distributed through phishing and ClickFix campaigns with operator-hosted infrastructure, SilabRAT uses ChaCha20-Poly1305 encryption for command-and-control communications. The developer also offers AsmCrypt, a companion crypter service, creating a complete malware bundle from evasion to execution and remote control.

Pulse ID: 6a2951665d658e753b489765
Pulse Link: https://otx.alienvault.com/pulse/6a2951665d658e753b489765
Pulse Author: AlienVault
Created: 2026-06-10 11:58:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChaCha20 #Chrome #Clipboard #CyberSecurity #Encryption #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Password #Phishing #RAT #RemoteAccessTrojan #Trojan #Word #bot #cryptocurrency #AlienVault

ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery

A multi-stage phishing campaign emerged in early May 2026, impersonating LinkedIn and Indeed through typosquatted domains to deliver malicious payloads. The attack chain begins with fake CAPTCHA pages distributed via Google Ads, leveraging the legacy Finger protocol and native Windows utilities. Victims are tricked into executing commands that deploy portable Python runtimes (CPython or IronPython), which then execute in-memory shellcode. The campaign delivers CastleLoader, a Malware-as-a-Service framework using ChaCha20 and RC4 encryption for C2 communications, followed by a Python-based remote access trojan. The RAT provides interactive shell control, in-memory payload execution, and persistence mechanisms. The campaign represents an evolution of browser-based social engineering, combining Living-off-the-Land binaries with Python-based delivery to maintain a fileless footprint and evade detection through legitimate system utilities.

Pulse ID: 6a2201a331661aba15d362d1
Pulse Link: https://otx.alienvault.com/pulse/6a2201a331661aba15d362d1
Pulse Author: AlienVault
Created: 2026-06-04 22:52:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #ChaCha20 #CyberSecurity #Encryption #Google #GoogleAds #InfoSec #LinkedIn #Malware #MalwareAsAService #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteAccessTrojan #SMS #ShellCode #SocialEngineering #Trojan #Windows #bot #AlienVault

Malware Campaigns Target Gamers, 86K Infected by CountLoader

A shocking 86,000 gamers have fallen victim to CountLoader, a sneaky malware campaign that's been targeting players since January 2026, and the masterminds behind it are making it easy for others to join the malicious party with their free, user-friendly malware service.

https://osintsights.com/malware-campaigns-target-gamers-86k-infected-by-countloader?utm_source=mastodon&utm_medium=social

#MalwareAsAService #Maas #Weedhack #Minecraft #Countloader

A stealthy RAT burrowing deep into Android devices

BTMOB is an Android remote access trojan that evolved from SpySolr malware and poses significant threats beyond traditional banking trojans. The malware combines phishing-led delivery with an APK builder interface that enables rapid payload generation without coding skills. Distributed through fake app stores impersonating streaming services, cryptocurrency platforms, and government agencies, BTMOB abuses Android Accessibility Services to gain elevated permissions. Marketed as malware-as-a-service with a reported $5,000 lifetime license, it provides adversaries with capabilities to exfiltrate sensitive data, capture screenshots, record device activity, and establish remote control. The tool's customizable phishing lures have been adapted for specific regions, including campaigns impersonating Argentine tax authorities, making it a rapidly evolving threat with global reach.

Pulse ID: 6a1cc51d7c8f832f819a0a43
Pulse Link: https://otx.alienvault.com/pulse/6a1cc51d7c8f832f819a0a43
Pulse Author: AlienVault
Created: 2026-05-31 23:32:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #Android #Bank #BankingTrojan #CyberSecurity #Government #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #Trojan #bot #cryptocurrency #AlienVault

ESET Exposes BTMOB Android Malware Service

Meet BTMOB, a sneaky Android malware that's being sold as a subscription service - think $700/month or a one-time $5,000 fee for a lifetime license - making it easy for anyone to become a cyber threat actor. This malware-as-a-service platform even comes with a user-friendly APK builder, requiring zero coding skills.

https://osintsights.com/eset-exposes-btmob-android-malware-service?utm_source=mastodon&utm_medium=social

#AndroidMalware #Malwareasaservice #RemoteAccessTrojan #Maas #Rat

Mirax RAT Exploits Meta Apps to Infiltrate Android Devices

Beware of fake ads on Meta apps - a sneaky new malware called Mirax RAT is using them to secretly take control of Android devices, with a focus on Spanish-speaking nations. This remote access Trojan is part of a growing Malware-as-a-Service economy that's putting unsuspecting users at risk.

https://osintsights.com/mirax-rat-exploits-meta-apps-to-infiltrate-android-devices?utm_source=mastodon&utm_medium=social

#MiraxRat #Malwareasaservice #MetaApps #AndroidMalware #RemoteAccessTrojan

Mirax Trojan Hijacks Android Devices for Proxy Network

Meet Mirax, a sneaky new Android banking trojan that's not only stealing credentials, but also hijacking devices to create a powerful proxy network - putting European users at risk. This emerging malware is a triple threat, combining a malware-as-a-service model, remote access capabilities, and residential proxies to wreak havoc…

https://osintsights.com/mirax-trojan-hijacks-android-devices-for-proxy-network?utm_source=mastodon&utm_medium=social

#AndroidBankingTrojan #EmergingThreats #Malwareasaservice #ResidentialProxies #Maas