A cross-site scripting vulnerability in the web control panel used by StealC operators allowed outsiders to collect system fingerprints, monitor active sessions and exfiltrate session cookies. In a technical analysis by CyberArk the researchers said they exploited the flaw to collect active sessions and take cookies and that a single customer accumulated more than 5,000 logs containing about 390,000 stolen passwords and over 30 million stolen cookies.
KEY FACTS
- Incident XSS in StealC control panel allowed theft of cookies and sessions.
- Scale One customer produced over 5,000 logs, roughly 390,000 passwords and more than 30 million cookies.
- Distribution StealC was spread via YouTube and social engineering lures.
- Leak The panels admin source code was leaked, exposing operator data.
Cross-site scripting runs attacker JavaScript in a victims browser when a vulnerable page is loaded. Exploitation allowed outsiders to capture cookies and session data from the panel interface itself.
The panels administration source code was later leaked and analysed by Lumma Labs which helped identify operator machine fingerprints and active sessions.
One StealC customer tracked as YouTubeTA used YouTube to distribute cracked software and amassed the large trove of logs and cookies. Most of the cookies were assessed as tracking or other non sensitive cookies.
Operational mistakes exposed the operator in mid July 2025 after they connected to the panel without a VPN and their IP resolved to a Ukrainian provider, TRK Cable TV. The panel showed a single admin account running on an Apple M3 machine with English and Russian language settings and did not set basic cookie protections such as httpOnly for session cookies.
WHY IT MATTERS
The flaw highlights that malware as a service infrastructures can carry operational security risks and coding flaws can expose large caches of stolen credentials and cookies for analysis.