Introduction to OnyxC2 Stealer
The OnyxC2 stealer has emerged on a cybercrime network, available through Malware-as-a-Service (MaaS) for hire starting at $250 per month. This rental price is at the higher end of stealer costs, primarily justified by its stealth and extensive reach.
The developers of OnyxC2 offer several options to potential customers: a 'normal' option at $250 per month, and a 'premium' option (which includes HNVC) at $500 per month. They also offer refunds if the build gets detected, demonstrating their confidence in the product's capabilities.
Purchase Options and Pricing
A third option, described as 'private', includes the source code, installation guide, and the option for the developers to install it for the customer if needed. This option is priced at $6,000, but it does not specify a monthly price, implying an outright purchase.
Analysis of OnyxC2 Stealer
Researchers at BlackFog obtained and analyzed two samples of the OnyxC2 stealer. They found that it is software sold and supported like a commercial product, making it accessible to buyers who could never write such a tool themselves.
The package includes several ready-made lures, such as FinePrint, SystemSettings, fake Windows update packages, and Fling-Standalone for gamers. The OnyxC2 reach is extensive, with access to 37 Chromium-based and 8 Gecko-based browsers, 95 Chromium and 14 Gecko extensions, five password managers, 17 cryptocurrency wallets, 11 FTP clients, and 5 email clients.
Targets and Capabilities
According to BlackFog, the OnyxC2 stealer can target roughly 210 applications and extensions across nine categories. This includes VPN, remote access, messaging, note-taking, and gaming targets, pushing it past consumer credential theft and into business systems that small finance and operations teams rely on.
One infected host showed that the stealer had already surrendered 55 saved passwords, 4,717 cookies, 719 autofill entries, 2 cards, and a wallet. The stealer is paired with a remote-access toolkit and provides HVNC over a web browser, LSASS dumping, RunPE in memory and on disk, a reverse SOCKS5 proxy, screenshot capture, a keylogger, a file manager, and a reverse shell over HTTP, a built-in TOR tunnel, and AES-256-encrypted build downloads.
Stealth and Persistence
The stealth of the OnyxC2 stealer is verified by BlackFog. Both delivery archives came back clean on their first VirusTotal upload, and the malicious component inside them was still unflagged when last checked on May 30, 2026. The build downloads are encrypted with AES256, and within the build is a legitimate application with a valid Authenticate signature, showing zero detections across 71 engines on VirusTotal.
The malicious DLL is disguised as an NVIDIA graphics library but with the payload appended at the end following legitimate content. When the victim runs the install for the application, it loads the malicious DLL simultaneously. The payload remains encrypted until runtime, effectively when the stealer is loaded and starts its harvesting.
Conclusion
A stealer with this reach turns one compromised workstation into standing access across a person's working life. The combination of its stealth and persistence helps ensure that the standing access exists for an extended period. The existence of OnyxC2 demonstrates that the stealer threat is not going away, but rather growing in sophistication and threat.
As the cybersecurity landscape continues to evolve, it is essential to stay informed about the latest threats and trends. The OnyxC2 stealer is a prime example of the growing sophistication of malware and the need for robust security measures to protect against such threats.
Source: SecurityWeek