CryptoLek 🍉🌻Remember the article from last week from CyberArk about exploiting an XSS vulnerability in the web panel of StealC? The user on XSS forum has addressed the issue.
Machine translation of the post
About the recent news about the “hack” of the panel
News began to spread about the alleged hack of the stealc user panel. At first, we didn’t see the point in writing anything, but not everyone is attentive, and in order to prevent further spread of fake news, we are writing this message.
The news is completely irrelevant. The article refers to admin panel 2.4.4 (which was released back in May 2025 and was replaced by version 2.5 in June 2025). there was also a very controversial situation where access was gained not to the admin panel via xss, but to the server via ssh — subsequently, we encountered a couple more times that researchers are not particularly shy about using illegal tools for such performances).
We caught that hack in real time thanks to a user who wrote to us (admin panels are located on client servers, there is no common admin panel, etc.), which allowed us to release a fix.
We don’t know why the researchers took six months to do this; apparently, they had nothing to write about in January, so they remembered a case from mid-2025 in which they had success with one (there is a theory that they were able to get into three admin panels, but we didn’t find any traces of them at the time).
Also in December, we recorded attempts by two users to “break into” the admin panel using similar XSS attacks. Thanks to users who reported the attacks in real time, we observed attempts by the researcher to make the XSS work, but this time we didn’t let them off the hook and spammed their backend with some not-so-censored messages to accept cookies 🙂
As for the current version (2.11.0, released in January 2026), it does not have such vulnerabilities. In fact, the researchers responsible for this article were essentially testers, for which we are very grateful to them.
Apparently, the guys remembered the case from May 2025, tried to pull off a similar trick in December, and when they found out that it had been fixed six months ago, they published an article.```
