Researchers uncovered an XSS flaw in StealC malware’s control panel, exposing key details about a threat actor using the info stealer.
StealC is an infostealer that has been active since at least 2023, sold as Malware-as-a-Service to steal cookies and passwords. In 2025, its operators released StealC v2, but the web panel quickly leaked and was criticized by researchers. Analysis of the leaked code revealed a flaw that let investigators monitor StealC operators, collect system data, track sessions, and even steal cookies from the malware’s own infrastructure.
“The StealC web panel gave researchers a rare glimpse into the backend of the malware operations. It didn’t take much effort for us to find a simple XSS vulnerability in that panel. We won’t share specific details of the vulnerability itself to avoid helping the StealC developers patch the issue or enabling any would-be StealC copycats from using the leaked panel to try to start their own MaaS.” reads the report published by CyberArk.
“By exploiting the vulnerability, we were able to identify characteristics of the threat actor’s computers, including general location indicators and computer hardware details. Additionally, we were able to retrieve active session cookies, which allowed us to gain control of sessions from our own machines.”
StealC’s developers, despite focusing on stealing cookies, curiously failed to secure their own session cookies against basic XSS attacks. Researchers then used this flaw to study a StealC operator, dubbed “YouTubeTA,” analyzing their campaigns and uncovering details about their identity.
In 2025, YouTubeTA ran campaigns linked to YouTube, stealing data from thousands of victims. Researchers found the malware spread through hijacked YouTube accounts that looked legitimate and promoted cracked software. Victims searching YouTube for pirated Adobe tools were infected. The attacker focused on stealing YouTube creator accounts, likely to reuse them to spread more malware.
“The StealC web panel has a feature known as “markers,” which allows users to highlight stolen credentials from specific domains, based on various categories they define. This feature probably helps sift through stolen credentials to identify interesting victims.” continues the report.
Researchers the operator “YouTubeTA” is likely a single individual, not a group. Evidence comes from panel data showing only one admin user, consistent hardware fingerprints, and repeated use of the same Apple M3 device. Language settings pointed to English and Russian, while the system time zone matched Eastern Europe. A rare VPN slip exposed an IP linked to a Ukrainian ISP, supporting the view that the actor operates from Eastern Europe.
“As we’ve seen, YouTubeTA, despite being a single operator, was dangerously successful. They’ve stolen hundreds of thousands of credentials from thousands of victims around the world in just a few short months.” concludes the report. “This is a clear demonstration of why many threat actors employ the MaaS model. By delegating much of the work to other groups, they can specialize and have a more significant impact, much like in traditional industries. The success of YouTubeTA highlights the importance of identity security, as it’s terribly simple to do a tremendous amount of damage.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
