OnyxC2 stealer sold as a service targets over 210 applications

As reported by Security Affairs, OnyxC2 has emerged as a new malware-as-a-service (MaaS) stealer, aggressively targeting a wide array of applications and employing sophisticated evasion techniques to avoid detection.

OnyxC2 is being sold on cybercrime forums for as little as $250 per month, with developers offering refunds if their builds are detected, highlighting confidence in its evasion capabilities. BlackFog researchers have identified that OnyxC2 targets over 210 applications, including numerous browsers, extensions, password managers, cryptocurrency wallets, FTP clients, and email clients. The stealer's capabilities extend beyond credential harvesting, incorporating features like High-Volume Network Interface (HVNC), LSASS memory dumping, and a reverse SOCKS5 proxy. Delivery is achieved through DLL sideloading, where a malicious DLL is appended to legitimate content within a signed application, making it appear valid. The payload remains encrypted until runtime, further hindering detection. The package also includes pre-made lure installers to aid in distribution.

The MaaS model lowers the barrier to entry for malicious actors, providing a complete operational kit with evasion, panel access, and support, turning a single infection into persistent access across a user's digital life.

Source: Security Affairs