OnyxC2: A Sophisticated Credential-Stealing Malware-as-a-Service Emerges
A new credential-stealing malware called OnyxC2 has surfaced in the cybercrime underground, offering low-skilled attackers a turnkey solution for large-scale data theft. Sold as a $250/month subscription, the malware provides a full suite of tools to harvest login credentials, two-factor authentication (2FA) codes, crypto wallet data, and more targeting over 210 applications and browser extensions in a single attack.
Key Features & Capabilities
OnyxC2 is marketed like legitimate software, complete with a web dashboard, payload builder, and refund guarantees if builds are detected. The malware is written in C++ with assembly-level evasion techniques, mutating each build to bypass antivirus signatures. Blackfog researchers confirmed its effectiveness two sample builds submitted to VirusTotal returned zero detections upon initial upload, with one remaining undetected as of May 30, 2026.
The toolkit includes:
- Credential theft from 37 Chromium-based browsers, 8 Gecko-based browsers, and 109 extensions (including 6 2FA tools).
- Password manager data extraction (5 targeted), 17 crypto wallets, 11 FTP clients, and 5 email clients.
- Remote access tools, including HVNC (hidden virtual network computing), keylogging, screenshot capture, and file management.
- Reverse SOCKS5 proxy and Tor tunneling for anonymous traffic routing.
A single infected machine in Blackfog’s tests yielded 55 passwords, 4,717 cookies, 719 autofill entries, credit card details, and a crypto wallet enough to compromise banking, business, and cloud accounts in one breach.
Delivery & Evasion Tactics
OnyxC2 spreads via fake installers disguised as legitimate software (e.g., Fling-Standalone, FinePrint, SystemSettings) or fake Windows updates. These archives are password-protected to evade automated scanning. Inside, attackers use DLL sideloading, pairing a legitimately signed executable with a malicious DLL that mimics an NVIDIA graphics library. The DLL is bloated to 120+ MB to bypass size-based antivirus scans, with the payload decrypting only at runtime.
Infrastructure & Indicators of Compromise
Blackfog identified the following command-and-control (C2) infrastructure:
- Domain:
akmuniverstall[.]top(13/94 detections on VirusTotal) - C2 Endpoint:
/backend/api/app.php - Cloudflare Fronting IPs:
104.18.20.213,104.21.46.39,172.67.223.39 - Malicious Samples:
- Signed sideload host:
41999a3d0da035ff8068905c90235ea50121329cb0661e38d745974ebf5e3ae2(0/71 detections) - Malicious DLLs:
78945c844fc23dd3446cf17987edeeb6cc21986820c92df82a126af24a5a38d1,d89bb4b23a67814ef511e4e9dda7ad36fa519a322fa7c25ea451c7dd7ef61e54
- Signed sideload host:
The malware’s stealth and scalability make it a significant threat, particularly for organizations relying on password managers, 2FA, and cloud services. Blackfog’s findings underscore the growing accessibility of high-impact cybercrime tools in the underground market.
Source: https://cybersecuritynews.com/hackers-use-onyxc2-malware-as-a-service/
BlackFog cybersecurity rating report: https://www.rankiteo.com/company/blackfog
"id": "BLA1781281519",
"linkid": "blackfog",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'General public and organizations'}],
'attack_vector': ['Fake installers',
'DLL sideloading',
'Fake Windows updates'],
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'2FA codes',
'Crypto wallet data',
'Cookies',
'Autofill entries',
'Credit card details']},
'date_detected': '2026-05-30',
'description': 'A new credential-stealing malware called OnyxC2 has surfaced '
'in the cybercrime underground, offering low-skilled attackers '
'a turnkey solution for large-scale data theft. Sold as a '
'$250/month subscription, the malware provides tools to '
'harvest login credentials, 2FA codes, crypto wallet data, and '
'more targeting over 210 applications and browser extensions.',
'impact': {'data_compromised': ['Login credentials',
'2FA codes',
'Crypto wallet data',
'Credit card details',
'Cookies',
'Autofill entries'],
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': ['Windows machines']},
'initial_access_broker': {'entry_point': ['Fake installers',
'DLL sideloading']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The growing accessibility of high-impact cybercrime tools '
'in the underground market poses significant threats, '
'particularly for organizations relying on password '
'managers, 2FA, and cloud services.',
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': 'Evasion techniques (C++ with '
'assembly-level mutations, bloated '
'DLLs, Cloudflare fronting)'},
'references': [{'date_accessed': '2026-05-30', 'source': 'Blackfog'}],
'response': {'third_party_assistance': 'Blackfog researchers'},
'title': 'OnyxC2: A Sophisticated Credential-Stealing Malware-as-a-Service '
'Emerges',
'type': 'Malware-as-a-Service (MaaS)'}