Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications

A new and dangerous credential-stealing tool called OnyxC2 has emerged in the cybercrime underground, showing just how easy it has become for even low-skilled attackers to run a professional hacking operation.

Sold as a complete package for $250 a month, the malware gives buyers everything they need to quietly drain login data from victims worldwide. What makes it stand out is the scale of what it targets: over 210 applications and browser extensions in one sweep.

OnyxC2 is marketed like legitimate commercial software, complete with a web panel, a payload builder, tiered pricing, and refunds if a build gets flagged.

For a monthly fee, buyers get a kit that steals browser credentials, password manager data, two-factor authentication codes, and crypto wallet information. The stolen data is shipped back through an encrypted channel, making it harder for security tools to catch in transit.

Analysts at Blackfog identified the malware and published their findings in a report shared with Cyber Security News (CSN), revealing the full scope of what OnyxC2 can do and how it evades detection.

The research team obtained live builds, ran them in sandbox environments, and confirmed that the tool is actively reaching live command-and-control infrastructure.

The malware is written in C++, using assembly code to bypass security rules at the system level. Each build is mutated before delivery to break antivirus signature detection, and the developer claims a 99% evasion rate.

Blackfog’s tests confirmed this: both sample builds submitted to VirusTotal came back clean on first upload, with the malicious component still undetected as of May 30, 2026.

The damage potential is very real. One infected machine shown in the panel had already surrendered 55 saved passwords, 4,717 cookies, 719 autofill entries, credit card data, and a crypto wallet, all from a single host.

That kind of haul can unlock banking systems, business accounts, and cloud services in one shot.

Hackers Use OnyxC2 Malware-as-a-Service

The breadth of OnyxC2’s target list sets it apart from simpler stealers. It reaches 37 Chromium-based browsers and 8 Gecko-based browsers, plus 95 Chromium and 14 Gecko extensions, including 6 dedicated two-factor authentication tools. Even accounts protected by 2FA are not safe from this threat.

The stealer also covers 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, and 5 email clients. A stealer that grabs password manager data alongside active session cookies can access accounts even after a victim changes their password.

The FTP and email targets push its reach beyond personal accounts and into business systems that finance and operations teams use every day.

Beyond credential theft, OnyxC2 bundles a full remote-access toolkit. Operators can use HVNC to control a hidden browser session, run a keylogger, take screenshots, and manage files remotely.

A reverse SOCKS5 proxy and a built-in Tor tunnel round out the toolkit, letting attackers route traffic anonymously.

Fake Installer Delivery and Evasion

OnyxC2 reaches victims through fake installer packages disguised as legitimate software downloads. The lures found by researchers included packages mimicking Fling-Standalone, FinePrint, SystemSettings, and fake Windows update files.

Each malicious archive is password-protected, helping it slip past automated scanning tools that must open files to inspect them.

Inside each fake archive is a two-file package built for DLL sideloading. The first file is a legitimately signed application that Windows trusts without question, and the second is a malicious DLL named to match a library the signed program loads at startup.

When the victim runs what looks like an installer, the trusted program unknowingly loads the attacker’s code from the same folder.

The malicious DLL is bloated past 120 MB by mimicking a real NVIDIA graphics library, with genuine-looking exported function names embedded inside.

Many antivirus scanners skip large files to save time, and the actual payload sits encrypted inside, only decrypting at runtime.

Blackfog recommends enforcing anti-data-exfiltration controls at the endpoint, blocking outbound data transfers at the point of theft rather than relying solely on file scanning.

Indicators of Compromise:-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications appeared first on Cyber Security News.