A sophisticated credential stealer known as OnyxC2 has emerged in the cybercrime landscape, captivating threat actors with its extensive exploitation toolkit available for a subscription fee of 0 per month. This malware is being disseminated through cleverly disguised lures, including counterfeit Windows update packages and seemingly legitimate software installers like FinePrint.
OnyxC2 functions as a fully supported commercial product, offering users an automated payload builder, tiered licensing options, and a centralized web dashboard for managing compromised endpoints. The developer promotes the tool’s impressive 99% detection-evasion rate, a claim bolstered by recent sandbox tests where initial delivery archives successfully evaded detection by major antivirus solutions.
The core component of OnyxC2 is crafted in C++, utilizing direct system calls and mutating with each new build to evade signature-based detection mechanisms. Once activated, the malware swiftly collects data from approximately 210 applications, targeting 45 different web browsers, alongside various password managers, cryptocurrency wallets, and FTP clients.
Hackers Deliver OnyxC2 via Fake Updates
To effectively compromise victim machines, OnyxC2 operators employ a technique known as DLL sideloading, which hijacks the execution flow. The initial payload is delivered as a password-protected archive that contains a legitimate, digitally signed application alongside a heavily obfuscated malicious DLL. The presence of a valid Authenticode signature from a recognized software publisher often leads security products to trust the running process implicitly.
When a victim executes the deceptive installer, the trusted binary automatically loads the attacker’s DLL from the same local directory. The malicious developers cleverly disguise their payload by inflating the DLL size to over 133 megabytes, appending an encrypted blob to the end of genuine NVIDIA graphics library code. Analysis of different builds reveals a remarkably stable loader environment, with only about 0.58% of the file changing between variants.
The malicious code remains entirely encrypted on disk, decrypting the active payload directly into memory at runtime to thwart static analysis tools from examining the underlying instructions. OnyxC2 establishes a secure communication channel to a Cloudflare-fronted command-and-control (C2) server through a predefined endpoint, allowing it to manage infected hosts using a structured network protocol.
This protocol facilitates various commands, such as registering the machine’s hardware, reporting foreground window activity, and uploading stolen session cookies. Research from blackfog indicates that the threat extends beyond consumer credential theft, posing significant risks to business environments by targeting FTP and email clients frequently used by finance teams.
With stolen session cookies and two-factor authentication (2FA) backup materials easily circumventing standard password resets, a single compromised workstation can grant ongoing access to critical corporate infrastructure. Security researchers emphasize that while the delivery chain employs intricate evasion tactics, the operators only realize profits once the stolen data successfully exits the host.
Implementing anti-data exfiltration (ADX) controls at the endpoint emerges as the most effective mitigation strategy, as it prevents unauthorized outbound transfers, regardless of which trusted process initially loaded the malware.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
