Arkanix Stealer: AI-Assisted MaaS Infostealer Folds Fast

A short-lived infostealer operation called Arkanix Stealer has caught the attention of security researchers for its apparent use of AI-assisted code development. Kaspersky's analysis reveals the malware-as-a-service (MaaS) operation ran for approximately three months before its operators abruptly pulled the plug, leaving paying customers without notice.

What Made Arkanix Different

Arkanix Stealer first appeared on dark web forums in October 2025, offering both Python and C++ variants to would-be cybercriminals. What set it apart wasn't just its capabilities—researchers found telltale signs suggesting the malware was partially developed using large language models.

The evidence? Kaspersky researchers pointed to "the presence of the utils.cpp file" and "common patterns of such assistants" in the codebase. Extensive commenting, structured debugging output, and consistent code organization all suggested AI involvement. This approach "might have drastically reduced development time and costs," according to the researchers.

This isn't an isolated phenomenon. We're seeing threat actors increasingly experiment with AI tools to accelerate malware development—a trend that echoes findings from Microsoft's recent report on cross-platform infostealers using Python to target multiple operating systems simultaneously.

Technical Capabilities

Arkanix targeted an extensive list of credentials and sensitive data:

Browser Data - The stealer supported 22 browsers including Chrome, Firefox, and Tor Browser. It extracted saved passwords, cookies, autofill data, and OAuth2 credentials while specifically hunting for banking and cryptocurrency keywords like "revolut," "stripe," "binance," and "metamask."

Cryptocurrency Wallets - Premium subscribers received wallet patcher modules for Exodus and Atomic wallets, plus a dedicated Chrome grabber for browser-based crypto extensions.

VPN Credentials - Arkanix harvested login data from NordVPN, Mullvad, ExpressVPN, and ProtonVPN—credentials that fetch premium prices on dark web marketplaces.

Gaming Platforms - Steam, Epic Games, Battle.net, Riot, Origin, Ubisoft Connect, and GOG accounts were all fair game.

Self-Spreading - The Discord module could spread to victims' contacts via the Discord API, turning compromised accounts into distribution channels.

The C++ version employed AMSI and ETW hooking to evade security monitoring, while premium builds added VMProtect obfuscation and Chrome Elevator injection to bypass App-Bound Encryption.

Distribution and Pricing

Arkanix operators ran a classic MaaS model with clever marketing. Free-tier users got access to the Python stealer only. Premium subscribers unlocked the more capable C++ variant, wallet injection, screenshot capture, Wi-Fi credential harvesting, and "priority support."

Initial infections spread through phishing with deceptive filenames like "steam_account_checker_pro_v1.py" and "discord_nitro_checker.py"—the kind of bait that reliably hooks gamers and crypto enthusiasts.

The operation even featured a referral program: invite new users and earn free premium hours. It's the kind of growth-hacking playbook you'd see from a legitimate SaaS startup, applied to credential theft.

Why the Sudden Shutdown?

After just two months of operation, Arkanix's control panel and Discord server went dark in December 2025. No announcement, no transition—operators simply vanished.

Kaspersky researchers believe this was always the plan. "Arkanix was a short-lived project for quick financial gains," they noted. This hit-and-run approach makes tracking and attribution significantly harder than persistent operations.

This pattern of ephemeral malware operations has become increasingly common. Unlike established infostealer families that maintain long-term infrastructure, these experimental projects extract profits and disappear before defenders can mount an effective response. It's a model we've seen replicated across the infostealer ecosystem, including operations like Stealc that sometimes turn on their own operators.

Infrastructure and IOCs

The operation ran through two domains:

Domain	IP Address	First Seen
arkanix[.]pw	195.246.231[.]60	October 9, 2025
arkanix[.]ru	172.67.186[.]193	October 19, 2025

Both were routed through Cloudflare. Sample file hashes include:

• 208fa7e01f72a50334f3d7607f6b82bf
• a3fc46332dcd0a95e336f6927bae8bb7
• 3283f8c54a3ddf0bc0d4111cc1f950c0

Why This Matters

Arkanix represents a troubling trend: AI-assisted malware development lowering barriers to entry. When threat actors can rapidly prototype functional stealers using LLMs, we should expect more of these short-lived experiments flooding the ecosystem.

The infostealer market is already evolving quickly. Just this month, researchers documented the first infostealers targeting AI agent configuration files—credentials that could give attackers access to enterprise AI systems. As organizations adopt more AI tools, these stolen credentials become increasingly valuable.

For defenders, the takeaway is clear: assume infostealers are everywhere. Monitor for credential exfiltration, implement phishing-resistant MFA, and treat any system that handles cryptocurrency or VPN credentials as a high-value target. Understanding how modern malware operates is essential as these threats continue to evolve.

The barrier to creating capable malware is dropping. Arkanix may have folded, but the next AI-assisted experiment is likely already in development.