Photo by Daniil Komov on Unsplash
It's a routine workday. A developer opens Chrome, unlocks a password manager, and connects to a cloud server. Standard morning ritual — except that somewhere in that session, a tool purchased for $250 per month is silently reading every saved credential, harvesting thousands of cookies, and exporting cryptocurrency wallet data to a remote command-and-control server. No alert fires. No antivirus flags it. The machine looks completely clean.
That is the documented reality of OnyxC2, and as of June 14, 2026, it evades every commercial antivirus engine currently checked by VirusTotal. The blast radius is wide, the price is shockingly low, and the defense requires a fundamentally different approach than most organizations currently run.
The Threat: OnyxC2 — Actor, Vector, and What Gets Exposed
According to CyberSecurityNews, OnyxC2 surfaced on cybercrime forums in early 2026 as a commercial-grade information stealer structured around a tiered subscription model: $250 per month for standard access, $500 per month for a premium tier that includes HVNC (Hidden Virtual Network Computing — remote control of a victim machine that remains invisible even to the legitimate user actively sitting at it), and $6,000 for full source code purchase. The operational infrastructure mirrors a legitimate SaaS business in every detail: a professional web-based control panel, customer support delivered through Telegram, and documented refund guarantees.
The delivery vector is disguise. BlackFog researchers — who published the primary independent technical breakdown — found OnyxC2 arriving inside password-protected archives with filenames like FinePrint, SystemSettings, and Fling-Standalone. Each archive contains a legitimately signed application bundled with a heavily obfuscated malicious DLL written in C++ with embedded assembly code. The technique is DLL sideloading — malware hijacks a trusted application's loading process to execute malicious code under the cover of a legitimate process — and it specifically defeats both perimeter scanning tools and signature-based endpoint security products.
Blast Radius: What One Infected Machine Actually Surrenders
OnyxC2 sweeps 210+ applications across nine distinct software categories in a single session. BlackFog documented one compromised host that yielded 55 saved passwords, 4,717 cookies, 719 autofill entries, credit card data, and cryptocurrency wallet credentials — all from a single infection event on a single machine.
Chart: OnyxC2 targets eight application categories simultaneously. Browser extensions (109 targeted) represent the largest single attack surface, followed by Chromium browsers (37) and cryptocurrency wallets (17). Source: BlackFog technical analysis, May 2026.
The cookie harvest deserves specific attention. BlackFog security analysts noted that a stealer capturing password manager data alongside active session cookies can reach accounts even after a victim changes their credentials — because session tokens authenticate users to services directly, without requiring a password or triggering a multi-factor authentication prompt. Standard incident response (reset credentials, close the ticket) is structurally insufficient against this class of threat. That single observation should reshape how organizations approach data protection after a suspected endpoint compromise.
The broader market context amplifies the problem. As of June 14, 2026, the dark-web MaaS ecosystem has expanded by 30%, with average infrastructure costs running approximately $4,500 for 1,000 malware installs — pricing that puts operational credential theft within reach of actors with essentially no technical capability. The FBI Internet Crime Complaint Center reported $16 billion in cybercrime losses in the previous reporting period, a 33% year-over-year increase that analysts largely attribute to MaaS operational efficiency. OnyxC2 is a direct product of that efficiency curve.
Photo by 1981 Digital on Unsplash
Why 71 Antivirus Engines All Missed It
BlackFog researchers submitted OnyxC2 delivery archives to VirusTotal and recorded zero detections across all 71 commercial antivirus engines, as independently confirmed as of May 30, 2026. Their report stated that both delivery archives returned clean on first submission, and the malicious component remained unflagged at their last check on May 30, 2026. A runtime build included in the operator's own product listing was caught by only 2 of 18 antivirus engines tested. The developers claim a 99% evasion rate — and the independent testing matched that claim.
The mechanism is structural, not accidental. Password-protected delivery archives prevent antivirus tools from scanning their contents at rest. A freshly obfuscated DLL executing under the cover of a legitimately signed parent process produces no signature match because the specific code combination is novel. This is not a flaw in any particular antivirus product; it is a fundamental limitation of signature-based detection (pattern matching against known malicious code) when confronted with custom-obfuscated, recently compiled malware. Treating antivirus as a primary endpoint defense is a cybersecurity best practices failure in this threat environment — and OnyxC2 proves it empirically.
It is also worth noting that OnyxC2's targeting scope extends into AI development infrastructure. Credential theft campaigns increasingly focus on cloud ML platform accounts, AI API keys, and code repositories where stolen tokens access expensive compute resources and proprietary training data. This pattern is directly relevant to engineering teams building with modern tooling, as the Smart AI Agents breakdown of code agent platforms illustrates — developers operating Cursor, Claude Code, or similar environments hold highly privileged credentials that represent exactly the high-value targets MaaS operators price their services around.
The Defense Stack That Actually Works
Given that signature-based antivirus is demonstrably ineffective here, the defense has to shift to behavioral detection layered with structural controls that eliminate the attack surface before code ever executes.
Tech layer: Deploy EDR (Endpoint Detection and Response) tools configured for runtime behavioral anomaly detection — specifically watching for unusual DLL loading patterns (a signed application pulling a DLL from a user-writable temp directory is a clear signal), mass sequential access to credential store files (browser Login Data databases, cookie stores, password manager vaults accessed in rapid succession), and unexpected outbound network connections from trusted process parents. These behavioral indicators are present regardless of code signature novelty or evasion technique.
Process layer: Implement short session token lifetimes — 30 minutes or less for sensitive systems — combined with step-up authentication for privileged operations. Hardware-backed FIDO2 authentication keys require physical key presence per authentication, structurally breaking cookie-replay attacks. This directly limits the post-infection window during which stolen session tokens remain operationally useful, and it represents sound incident response preparation that pre-empts the worst-case data protection outcome before any breach occurs.
People layer: OnyxC2's entire delivery model requires an employee to execute a downloaded binary outside approved software distribution channels. Application allowlisting — where only pre-approved executables can run — kills this vector before DLL sideloading gets a chance to execute. Security awareness training that specifically covers disguised software downloads (fake update packages, third-party installers with convincing filenames) is the human compensating control (a measure that addresses risk when a primary technical control is unavailable) that closes the gap allowlisting cannot fully cover on its own.
Harden This Today
Ship one control: application allowlisting on every endpoint that handles credentials — cloud infrastructure access, financial systems, HR platforms, code repositories. OnyxC2's operational model depends entirely on executing a disguised binary. Allowlisting does not evaluate how convincing the disguise is, how recently the code was written, or whether any antivirus has seen it before. If the executable is not on the approved list, it does not run.
My read: the $250 monthly price is the number worth internalizing here. At that cost, the barrier to enterprise-grade credential theft is essentially a payment method and a Telegram account. The threat intelligence picture is not sophisticated nation-state actors — it is commodity tooling available to anyone motivated enough to subscribe. Organizational defense posture has to reflect that reality, because the attackers already have.
Frequently Asked Questions
What is malware-as-a-service (MaaS) and how does it work in practice?
Malware-as-a-Service is a criminal business model where sophisticated developers build and rent attack tools to less-skilled operators through subscription tiers, mirroring the commercial SaaS model. OnyxC2 is a current example: $250 per month buys a fully operational credential stealer, a web-based management panel for viewing stolen data, and customer support via Telegram. The developer handles tool maintenance and evasion updates; subscribers handle targeting and distribution. This division of labor has lowered the technical barrier to running complex credential theft campaigns to near-zero, contributing to the 30% expansion of the MaaS market observed as of June 14, 2026.
How does credential stealer malware actually steal passwords from browsers like Chrome and Firefox?
Browsers store saved passwords, session cookies, and autofill data in local database files that are accessible to processes running under the current user's account. Chrome uses SQLite databases stored in a file called Login Data; Firefox stores credentials in JSON-encrypted profile files. Credential stealers read these files directly and extract their contents — on Windows, the encryption keys are tied to the user's account credentials, which the malware retrieves through standard system APIs. OnyxC2 targets 37 Chromium-based browsers and 8 Gecko-based browsers including Firefox, covering virtually every browser in active enterprise deployment today.
Can antivirus software detect OnyxC2 malware on an endpoint?
As of May 30, 2026, BlackFog's independent testing found zero detections across all 71 commercial antivirus engines on VirusTotal. A separately tested runtime build was caught by only 2 of 18 engines. The core limitation: signature-based antivirus cannot scan inside password-protected delivery archives, and OnyxC2's DLL payload is freshly obfuscated with C++ and assembly code that does not match any existing malware signature. Behavioral EDR solutions configured for runtime process monitoring offer meaningfully more effective detection of this class of information stealer than traditional signature-based antivirus.
How do I protect my organization from OnyxC2 and similar credential stealing attacks?
The most effective layered defense combines: (1) Application allowlisting to block unauthorized executables — OnyxC2 requires executing a disguised binary, which allowlisting prevents at the OS level; (2) Behavioral EDR configured to flag unusual DLL loading patterns and rapid sequential access to credential store files; (3) Short session token lifetimes and FIDO2 hardware authentication keys to break cookie-replay attacks post-infection; (4) Restricting software installation to IT-managed distribution channels to prevent disguised installer delivery. For proactive threat intelligence, monitoring threat feeds that track emerging MaaS listings provides early visibility into new stealer variants before campaigns reach your environment.
Explore Our Network
Disclaimer: This article is editorial commentary based on publicly reported information and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your organization's specific security needs. Research based on publicly available sources current as of June 14, 2026.
No comments:
Post a Comment