OnyxC2 Stealer Offers Cybercriminals Enterprise-Grade Theft for $250 a Month
A new malware-as-a-service stealer called OnyxC2 is available for $250/month, targeting over 200 applications with advanced evasion techniques.
Researchers at BlackFog have detailed a new malware-as-a-service (MaaS) stealer called OnyxC2, which is being offered on cybercrime networks for a monthly rental fee starting at $250. The stealer targets over 200 applications and browser extensions, including password managers, two-factor authentication (2FA) extensions, cryptocurrency wallets, and email clients. Its advanced evasion techniques, such as encrypted payloads, DLL sideloading, and in-memory execution, make it a formidable threat to credential and data security.
OnyxC2 is available in several pricing tiers: a 'normal' version at $250 per month, a 'premium' version with HVNC (Hidden Virtual Network Computing) at $500 per month, and a 'private' option for $6,000 that includes source code and installation support. The developers even offer refunds if the build gets detected, indicating confidence in its stealth capabilities. BlackFog obtained and analyzed two samples, noting that the malware is sold and supported like a commercial product, putting enterprise-grade theft capabilities in the hands of less skilled cybercriminals.
The stealer's reach is extensive, claiming access to 37 Chromium-based and 8 Gecko-based browsers, 95 Chromium and 14 Gecko extensions (including six dedicated to 2FA), five password managers, 17 cryptocurrency wallets, 11 FTP clients, and five email clients. This broad targeting allows OnyxC2 to harvest credentials, session cookies, and autofill data that can survive password resets. BlackFog reported that one infected host had already surrendered 55 saved passwords, 4,717 cookies, 719 autofill entries, two credit cards, and a cryptocurrency wallet.
To evade detection, OnyxC2 employs several sophisticated techniques. The delivery archives came back clean on VirusTotal upon first upload, and the malicious component remained undetected as of late May 2026. The build downloads are encrypted with AES-256, and within the build is a legitimate application with a valid Authenticode signature. A malicious DLL disguised as an NVIDIA graphics library is loaded when the victim runs the installer, with the payload appended at the end of legitimate content. The payload remains encrypted until runtime, when the stealer begins harvesting data.
In addition to credential theft, OnyxC2 includes a remote-access toolkit with features such as HVNC over a web browser, LSASS dumping, RunPE in memory and on disk, a reverse SOCKS5 proxy, screenshot capture, a keylogger, a file manager, and a reverse shell over HTTP. It also includes a built-in TOR tunnel for anonymous communication. These capabilities suggest continuous development and a focus on persistence and stealth.
The emergence of OnyxC2 highlights the growing sophistication of stealer malware as a service. By offering enterprise-grade features at a relatively low cost, it lowers the barrier for cybercriminals to conduct large-scale credential theft. The combination of extensive targeting, advanced evasion, and built-in remote access tools makes OnyxC2 a significant threat to both individuals and organizations. As the stealer ecosystem continues to evolve, defenders must remain vigilant and adopt multi-layered security measures to protect against such threats.