Connect with us

Security

The Rise and Fall of Arkanix Stealer: An AI Info-Stealer Experiment

Published

on

An innovative malware operation known as Arkanix Stealer emerged on various dark web platforms in late 2025, believed to have been developed with the assistance of artificial intelligence.

The project featured a control panel and a Discord server for user communication. However, the creator abruptly shut down these platforms just two months after the operation commenced.

Arkanix Stealer offered a range of data theft functionalities commonly used by cybercriminals, including a modular structure and anti-analysis features.

Wiz

According to Kaspersky researchers, an analysis of Arkanix Stealer revealed indications of AI-assisted development, potentially leading to significantly reduced development time and costs.

Signs of LLM involvement in coding
Identifying LLM Traces in Coding
Source: Kaspersky

The researchers speculate that Arkanix was a short-term venture aimed at quick financial gains, making detection and tracking more challenging.

Arkanix Stealer Emerges Online

In October 2025, Arkanix Stealer began gaining traction on hacker forums, offering two tiers to potential clients: a basic version utilizing Python and a “premium” edition featuring a native C++ payload with VMProtect protection, AV evasion, and wallet injection capabilities.

Arkanix promoted on hacker forums
Arkanix Promoted on Hacker Forums
Source: Kaspersky

The developer established a Discord server to serve as a community hub for project updates, feature feedback, and user support.

Furthermore, a referral scheme was implemented to boost project visibility, offering referrers extra premium access time and new users a free week of the premium version.

Referral options from within the dashboard
Referral Options within the Dashboard
Source: Kaspersky

Data Theft Capabilities

Arkanix Stealer is capable of gathering system data, extracting browser-stored information (history, autofill data, cookies, passwords), and harvesting cryptocurrency wallet details from 22 browsers. Kaspersky experts note its ability to retrieve 0Auth2 tokens on Chromium-based browsers.

Additionally, the malware can acquire data from Telegram, pilfer Discord credentials, propagate via the Discord API, and send messages to the victim’s contacts/channels.

See also  The Rise and Fall of the Microsoft Zune: A Failed Attempt at Dethroning the iPod

Arkanix also targets credentials for VPN services like Mullvad, NordVPN, ExpressVPN, and ProtonVPN, and can archive files from the local filesystem for asynchronous exfiltration.

Additional modules available for download from the command-and-control server include a Chrome grabber, a wallet patcher for Exodus or Atomic wallets, a screenshot tool, HVNC, and stealers for FileZilla and Steam.

Partial list of targeted extensions
Partial List of Targeted Crypto Extensions
Source: Kaspersky

The premium native C++ version of Arkanix Stealer includes RDP credential theft, anti-sandbox and anti-debugging mechanisms, WinAPI-based screen capture, and targets gaming platforms such as Epic Games, Battle.net, Riot, Unreal Engine, Ubisoft Connect, and GOG.

Moreover, the advanced variant introduces the ChromElevator post-exploitation tool, designed to infiltrate suspended browser processes for data theft and circumvent Google’s App-Bound Encryption (ABE) for unauthorized access to user credentials.

The ultimate goal of the Arkanix Stealer initiative remains ambiguous. The project could be an experiment to assess how AI assistance enhances malware development and speeds up feature deployment within the community.

Kaspersky’s evaluation suggests that Arkanix functions more as a public software product than a clandestine data stealer.

The researchers provide a detailed list of compromise indicators (IoCs), comprising file hashes, domains, and IP addresses.

tines

Modern IT infrastructure outpaces manual workflows. Discover how automated responses can reduce delays and enhance reliability with Tines’ comprehensive guide.

Trending