A technical analysis by Kaspersky found that in October 2025 a malware as a service called Arkanix Stealer was advertised on dark web forums and offered implants that targeted 22 browsers and cryptocurrency wallets.
KEY FACTS
- Incident Forum posts and a Discord server promoted Arkanix in October 2025
- Delivery Phishing lures with Python loaders and native C++ executables
- Targets 22 browsers plus gaming clients and multiple crypto wallets
- Infrastructure Domains arkanix.pw and arkanix.ru observed
Forum posts linked to a Discord server used for promotion and to a sign in panel that was taken offline around December 2025. The initial delivery vector is not certain but file names and loaders indicate phishing lures were used.
Two main implementations were observed. A Python version downloads configuration from panel endpoints and can update features dynamically. A native C++ version contains a hardcoded feature set and embeds a public browser post exploitation tool known as ChromElevator.
The feature list in the malware matches the one described in the G DATA report. Capabilities include system enumeration, saved passwords, cookies, OAuth2 tokens, browser extension data and targeted extraction of cryptocurrency related entries.
Other capabilities include Telegram tdata exfiltration, Discord credential theft and configurable self spreading, VPN credential extraction for specific vendors, file collection using predefined paths and filenames, RDP file harvesting and screenshots from each monitor in the native build. Additional modules such as a wallet patcher and extra collectors are downloaded from the command and control server and decrypted locally.
Data exfiltration used AES GCM with PBKDF2 for key derivation in samples. Observed infrastructure included the domains arkanix.pw and arkanix.ru. The panel and the Discord server were taken down with no public notice during December 2025.
WHY IT MATTERS
Arkanix collected a wide range of sensitive data from browsers, wallets and gaming clients which increases the risk to cryptocurrency holders and users with stored credentials. The campaign shows how packaged MaaS offerings can combine multiple loaders and downloadable modules to broaden impact.