Security researchers at CyberArk discovered a critical flaw in StealC malware’s infrastructure. Using an XSS vulnerability, they gained access to sessions of cybercriminals who were stealing cookies themselves.
StealC is an infostealer that has been active since early 2023 and is offered as Malware-as-a-Service (MaaS). The platform focuses on stealing cookies, passwords, and other sensitive data from infected computers. The market for this type of malware exploded in 2025, with infostealers responsible for 86 percent of all data breaches and stealing 1.8 billion login credentials worldwide.
In the spring of 2025, the StealC group experienced turbulent months. Immediately after the release of version 2, the web panel leaked. TRAC Labs then published a technical analysis that questioned the quality of the malware. What did not make headlines at the time turned out to be much more damaging in retrospect. During analysis of the leaked code, researchers discovered a vulnerability that allowed them to observe StealC operators.
YouTube as a distribution channel
The researchers focused on one specific operator, called YouTubeTA. This attacker distributed StealC via YouTube channels by disguising malware as cracked versions of Adobe Photoshop and After Effects. The build IDs in the system had names such as ‘YouTube’, ‘YouTube2’, and ‘YouTubeNew’, which gave away the distribution tactic.
YouTubeTA had over 5,000 stolen logs on the command-and-control server. These contained 390,000 passwords and more than 30 million cookies. Screenshots automatically taken by StealC upon infection showed that victims were searching for illegal software on YouTube. The YouTube channels often had thousands of followers and older, legitimate-looking videos, which made them appear more trustworthy.
Fingerprints from Ukraine
By exploiting the XSS vulnerability, researchers collected system data from the operator. YouTubeTA ran on an Apple device with an M3 processor and supported English and Russian. The time zone pointed to Eastern Europe. In July 2025, the criminal made a mistake: accessing the panel without a VPN. The IP address turned out to be from Ukrainian provider TRK Cable TV, consistent with previous findings.
The hardware and software characteristics remained constant with each trigger of the XSS payload. This suggested a single person rather than a group. The StealC panel does support multiple users, but only one account was active on YouTubeTA: Admin. The accuracy of these fingerprints gave researchers unique insight into the operation.
Weakness of the MaaS model
The XSS flaw in the StealC panel illustrates a fundamental vulnerability of Malware-as-a-Service. Criminals who outsource their infrastructure to third parties become dependent on the quality of that code. StealC developers did not implement httpOnly protection for cookies, a basic measure that could have blocked XSS attacks like this one.
The MaaS market grew explosively, with infostealer attacks increasing by 58 percent in 2024. Platforms are available for a few hundred dollars a month, making cybercrime accessible to users with little technical expertise. But that democratization comes with risks. YouTubeTA’s success, with thousands of victims in a few months, shows the power of MaaS. The exposure through poor panel security shows the downside.
CyberArk did not share all the details of the vulnerability. This is to prevent StealC developers from fixing the problem or others from using the leaked panel for their own operations. However, the findings offer hope for researchers and law enforcement. If these weaknesses are typical of MaaS infrastructure, new opportunities will arise to identify malware operators.