OnyxC2 MaaS Hackers Steal Credentials Malware-as-a-Service From

A potent new credential-stealing tool, OnyxC2, has surfaced within the cybercrime underground. Operating as a malware-as-a-service (MaaS), it dramatically lowers the bar for entry, allowing even low-skilled threat actors to conduct sophisticated operations. This capability enables them to steal credentials from over Sold as a complete package for $250 a month, the malware gives buyers everything they need to quietly drain login data from victims worldwide. What makes it stand out is the scale of what it targets: over 210 applications and browser extensions in one sweep.

OnyxC2 is marketed like legitimate commercial software, complete with a web panel, a payload builder, tiered pricing, and refunds if a build gets flagged.

For a monthly fee, buyers get a kit that steals browser credentials, password manager data, two-factor authentication codes, and crypto wallet information. The stolen data is shipped back through an encrypted channel, making it harder for security tools to catch in transit.

Analysts at Blackfog identified the malware and published their findings in a report shared with Cyber Security News (CSN), revealing the full scope of what OnyxC2 can do and how it evades detection.

The research team obtained live builds, ran them in sandbox environments, and confirmed that the tool is actively reaching live command-and-control infrastructure.

The malware is written in C++, using assembly code to bypass security rules at the system level. Each build is mutated before delivery to break antivirus signature detection, and the developer claims a 99% evasion rate.

Blackfog’s tests confirmed this: both sample builds submitted to VirusTotal came back clean on first upload, with the malicious component still undetected as of May 30, 2026.

The damage potential is very real. One infected machine shown in the panel had already surrendered 55 saved passwords, 4,717 cookies, 719 autofill entries, credit card data, and a crypto wallet, all from a single host.

That kind of haul can unlock banking systems, business accounts, and cloud services in one shot.

Hackers Use OnyxC2 Malware-as-a-Service

The breadth of OnyxC2’s target list sets it apart from simpler stealers. It reaches 37 Chromium-based browsers and 8 Gecko-based browsers, plus 95 Chromium and 14 Gecko extensions, including 6 dedicated two-factor authentication tools. Even accounts protected by 2FA are not safe from this threat.

The stealer also covers 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, and 5 email clients. A stealer that grabs password manager data alongside active session cookies can access accounts even after a victim changes their password.

The FTP and email targets push its reach beyond personal accounts and into business systems that finance and operations teams use every day.

Beyond credential theft, OnyxC2 bundles a full remote-access toolkit. Operators can use HVNC to control a hidden browser session, run a keylogger, take screenshots, and manage files remotely.

A reverse SOCKS5 proxy and a built-in Tor tunnel round out the toolkit, letting attackers route traffic anonymously.

Fake Installer Delivery and Evasion

OnyxC2 reaches victims through fake installer packages disguised as legitimate software downloads. The lures found by researchers included packages mimicking Fling-Standalone, FinePrint, SystemSettings, and fake Windows update files.

Each malicious archive is password-protected, helping it slip past automated scanning tools that must open files to inspect them.

Inside each fake archive is a two-file package built for DLL sideloading. The first file is a legitimately signed application that Windows trusts without question, and the second is a malicious DLL named to match a library the signed program loads at startup.

When the victim runs what looks like an installer, the trusted program unknowingly loads the attacker’s code from the same folder.

The malicious DLL is bloated past 120 MB by mimicking a real NVIDIA graphics library, with genuine-looking exported function names embedded inside.

Many antivirus scanners skip large files to save time, and the actual payload sits encrypted inside, only decrypting at runtime.

Blackfog recommends enforcing anti-data-exfiltration controls at the endpoint, blocking outbound data transfers at the point of theft rather than relying solely on file scanning.

Indicators of Compromise:-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.