OnyxC2 Infostealer Targets 210 Apps, Offers Refunds If Detected

A new malware-as-a-service infostealer called OnyxC2 has emerged on underground forums, offering enterprise-grade credential theft capabilities at $250 per month. BlackFog researchers published an analysis showing the malware targets over 210 applications—from browsers and cryptocurrency wallets to password managers and email clients—while consistently evading antivirus detection.

The developers are confident enough in their evasion techniques to offer refunds if a build gets flagged. That confidence appears warranted: when BlackFog last checked on May 30, both delivery archives and their malicious payloads remained undetected on VirusTotal.

Pricing Tiers

OnyxC2 operates on a subscription model:

• Standard: $250/month for the base stealer
• Premium: $500/month adds HVNC (Hidden Virtual Network Computing) for real-time session hijacking
• Source Code: $6,000 one-time purchase for the complete codebase

The premium tier's HVNC capability lets attackers interact with compromised machines without the victim seeing any on-screen activity. Combined with the stealer's credential harvesting, operators can take over accounts in real-time—similar to the session hijacking techniques used in recent Chrome zero-day exploits.

DLL Sideloading Delivery

The malware reaches victims through poisoned software installers. Attackers append a malicious DLL to legitimate signed applications, so the entire package appears valid to security tools.

When a victim runs the installer, the legitimate application loads the malicious DLL automatically through Windows' standard library loading behavior. The actual payload stays encrypted on disk until runtime—meaning static analysis finds nothing suspicious.

This delivery method explains the VirusTotal success rate. Signed binaries plus encrypted payloads plus runtime-only decryption defeats most automated detection.

Target Scope

BlackFog identified over 210 targeted applications across multiple categories:

Browsers: All major browsers plus their extension data Password Managers: Credentials and vault contents Cryptocurrency Wallets: Private keys and wallet files FTP Clients: Saved connection credentials Email Clients: Account credentials and session tokens

Beyond credential theft, OnyxC2 includes features typically found in more sophisticated malware:

• LSASS memory dumping for Windows credential extraction
• Reverse SOCKS5 proxy for tunneling traffic through victims
• Session hijacking for real-time account takeover

The MaaS Economy

OnyxC2 fits into the broader malware-as-a-service ecosystem that's driving the current surge in credential theft campaigns. We covered the Storm infostealer earlier this month, which takes a similar subscription approach but focuses on server-side decryption to avoid leaving traces on victim machines.

The refund guarantee is particularly notable. It signals that the OnyxC2 developers view detection evasion as a key selling point and are willing to back that claim financially. For buyers, it reduces the risk of purchasing malware that immediately gets burned by antivirus updates.

Detection Challenges

Traditional antivirus struggles against OnyxC2's delivery method for several reasons:

1. The signed legitimate application passes certificate validation
2. The malicious DLL is encrypted until runtime
3. Decryption and execution happen entirely in memory
4. Network callbacks use standard protocols that blend with normal traffic

Organizations relying solely on endpoint detection may miss infections entirely. Behavioral analysis and memory scanning offer better chances, but require more sophisticated security tooling.

Recommended Defenses

1. Software verification: Only install applications from verified sources
2. Application control: Use allowlisting to prevent unauthorized executables
3. Memory protection: Deploy solutions that scan runtime behavior
4. Credential monitoring: Watch for unusual access patterns to password managers and crypto wallets
5. Network segmentation: Limit what compromised endpoints can reach

The low entry cost means OnyxC2 will likely see wide adoption among less sophisticated attackers. Security teams should expect increased credential theft attempts and plan their monitoring accordingly. Review our online safety guide for additional protective measures.