StealC Hackers Hacked as Researchers Hijack Malware Control Panels

The discovery of an XSS vulnerability in StealC’s administration panel marks a rare glimpse into the operational heart of a modern malware‑as‑a‑service (MaaS) offering. By injecting malicious scripts, CyberArk analysts were able to capture session cookies and hardware fingerprints, effectively turning the attackers’ own tools against them. This level of insight is uncommon; most threat‑intel work relies on passive data collection or sink‑hole traffic, whereas here the researchers directly accessed live command‑and‑control interfaces, revealing the attacker’s system specs, language settings, and even geographic location.

StealC’s rapid evolution since its 2023 debut—adding Telegram bot alerts, template‑based builders, and a polished web panel—has made it a favorite among cybercriminals seeking scalable data‑theft operations. The XSS breach exposed a critical operational weakness: the operator’s failure to route the panel through a VPN, which leaked a Ukrainian ISP IP address. This mistake not only pinpointed the threat actor’s physical locale but also underscored the broader risk inherent in MaaS platforms, where shared infrastructure can become a single point of failure when exposed.

The strategic disclosure of the flaw serves a dual purpose. First, it disrupts ongoing campaigns by forcing operators to patch or abandon the compromised panel, buying time for defenders to mitigate compromised accounts and stolen credentials. Second, it sends a warning to the cybercrime ecosystem that even sophisticated services can be infiltrated, potentially curbing the recent surge of StealC deployments linked to the Lumma drama. As defenders continue to weaponize such intelligence, the balance may shift toward more proactive, offensive‑defense tactics in the fight against credential‑stealing malware.