Security researchers successfully exploited vulnerabilities in the StealC malware infrastructure, gaining access to operator control panels and exposing a threat actor\u2019s identity through their own stolen session cookies<\/a>. <\/p>\n The breach highlights critical security failures in criminal operations built around credential theft.<\/p>\n StealC, an information-stealing malware operating under a Malware-as-a-Service<\/a> model since early 2023, faced a significant setback when researchers discovered a cross-site scripting (XSS) vulnerability in its web panel following a code leak in spring 2025. <\/p>\n By exploiting this flaw, CyberArk Labs collected system fingerprints, monitored active sessions, and captured authentication cookies from the infrastructure designed to steal them. <\/p>\n The irony proved significant: operators specializing in cookie theft failed to implement basic security features, such as the httpOnly flag, that would have prevented cookie hijacking via XSS attacks.<\/p>\n Through panel access, researchers tracked a single operator designated \u201cYouTubeTA\u201d (YouTube Threat Actor) who maintained over 5,000 infection logs containing 390,000 stolen passwords and 30 million cookies. <\/p>\n Screenshots captured by the malware showed victims searching for cracked versions of Adobe Photoshop<\/a> and After Effects on YouTube, suggesting that YouTubeTA compromised legitimate YouTube channels with established subscriber bases to distribute StealC. <\/p>\n The operator\u2019s panel configuration included specific markers for studio.youtube.com credentials, indicating a strategy to hijack content creator accounts and expand malware distribution networks.<\/p>\n Panel fingerprinting identified YouTubeTA as a single operator using an Apple M3 processor, with consistent hardware signatures across all sessions, as reported <\/a>by CyberArk Labs . <\/p>\n Language preferences showed support for English and Russian, while timezone data indicated GMT+0300 (Eastern European Summer Time). <\/p>\n A critical operational security failure occurred when the operator briefly connected without VPN protection, revealing an IP address associated with Ukrainian ISP TRK Cable TV. <\/p>\n This breach demonstrates how MaaS supply chain vulnerabilities expose both infrastructure weaknesses and operator identities to security researchers.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Researchers Gain Access to StealC Malware Command-and-Control Systems<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nXSS Vulnerability Exposes StealC Operators<\/strong><\/h2>\n
![\"StealC](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/01\/image-58-1024x485.png?resize=1024%2C485&ssl=1\")
![\"](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/01\/image-59-1024x387.png?resize=1024%2C387&ssl=1\")
![\"Likely](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2026\/01\/image-60.png?ssl=1\")