Analysis of Arkanix Stealer: A Dual-Mode Infostealer Leveraging ChromElevator and Dynamic Configuration
Executive Summary
In October 2025, security researchers detected a novel malware-as-a-service (MaaS) operation targeting Windows environments. Dubbed Arkanix Stealer by its authors, this threat operates a dual-implementation model, utilizing both native C++ and Python codebases to maximize compatibility and evasion capabilities. The threat actor leverages a sophisticated control panel and integrates the open-source browser manipulation tool, ChromElevator, to harvest credentials and cryptocurrency assets. This campaign, active primarily on dark web forums and Discord, appears to have been a short-lived operation with the affiliate program subsequently taken down. At SecLookup, our threat intelligence monitoring identified and blocked the infrastructure associated with this campaign, ensuring our users remained protected from this infostealer family.
Threat Analysis
The Arkanix Stealer represents a significant evolution in commodity infostealer capabilities, specifically due to its modular architecture and the integration of advanced browser automation techniques. Unlike traditional credential harvesters that rely on simple keylogging or clipboard monitoring, Arkanix employs a multi-layered approach to exfiltrate data.
Architecture and Implementation
The threat actor provided two distinct variants of the stealer:
C++ Implementation: This native version is designed for performance and stealth. It serves as the primary carrier for the ChromElevator payload. By utilizing native code, the stealer can more effectively bypass common heuristic detections used by antivirus solutions. This variant focuses on high-value targets, specifically targeting cryptocurrency wallet data and comprehensive system information.
Python Implementation: This variant is designed for flexibility and rapid deployment. It supports dynamically modifying its configuration, allowing affiliates to tailor the malware to specific campaigns without recompiling source code. Notably, this version was frequently packed using packers, adding an additional layer of obfuscation to evade analysis.
Initial Infection Vector
The specific initial infection vector for Arkanix remains unidentified, but forensic analysis of loader scripts recovered from the wild provides critical insight into the attacker's methodology. The file names associated with the loaders—such as steam_account_checker_pro_v1.py, discord_nitro_checker.py, and TikTokAccountBotter.exe—indicate that the malware is often delivered via malicious attachments or fake utility software. These names are classic indicators of credential stuffing and account verification attacks, suggesting the initial drop targets users actively engaging with high-value platforms.
TTPs and MITRE ATT&CK Mapping
Arkanix employs a wide array of techniques consistent with the Credential Access and Collection kill chains.
Browser Post-Exploitation (ChromElevator): The integration of ChromElevator allows the malware to interact with the browser process memory. This technique is critical for bypassing modern web security features like password managers that may mask passwords. It effectively targets the browser extension architecture.
- MITRE ATT&CK: T1176 (Browser Extensions)
System Information Discovery: The malware enumerates system details to tailor its exfiltration efforts or to determine if the target machine is a suitable host for further compromise.
- MITRE ATT&CK: T1082 (System Information Discovery)
Data from Local System: The primary objective is the theft of plaintext credentials stored in browsers and cryptocurrency wallets.
- MITRE ATT&CK: T1005 (Data from Local System)
Dynamic Configuration: The use of a control panel and dynamic Python configuration allows for agile adaptation to security countermeasures.
- MITRE ATT&CK: T1562.001 (Disable or Modify Tools)
Indicators of Compromise (IOCs)
Security teams should investigate systems that have interacted with the following malicious domains. These domains were confirmed malicious by SecLookup's threat intelligence platform.
Malicious Domains
arkanix.pw
arkanix.ru
Additional Contextual Indicators
While not listed as malicious domains in the report, SOC analysts should be aware of the malicious file names associated with the loader scripts:
steam_account_checker_pro_v1.pydiscord_nitro_checker.pyTikTokAccountBotter.exe
SecLookup Detection
SecLookup was actively monitoring the threat landscape during the emergence of the Arkanix campaign. Our threat intelligence platform immediately identified the malicious domains arkanix[.]pw and arkanix[.]ru and incorporated them into our global blocklists.
Our system was actively detecting and blocking these domains and their related IOCs to protect our users. This proactive stance ensures that traffic attempting to reach the command-and-control (C2) infrastructure is severed before any data exfiltration can occur. We urge security professionals to verify their blocklists include these specific domains to prevent lateral movement by affiliates utilizing this malware.
Recommendations
To defend against the Arkanix Stealer and similar credential harvesting tools, we recommend the following mitigation strategies:
Block Known Malicious Domains: Ensure network firewalls and DNS filtering systems block access to
arkanix[.]pwandarkanix.ru.Monitor for Suspicious File Names: Implement file system monitoring (EDR) to alert on processes launching executables with names such as
*_botter.exe,*_checker.exe, or*_bot.py.Browser Hardening: Since ChromElevator targets browser processes, consider restricting the execution of unsigned browser extensions and applying application whitelisting to browser executables (Chrome, Edge, Firefox).
Suspicious Attachment Handling: Train users not to run Python scripts or
.exefiles found in unexpected emails, particularly those promising free Nitro codes or account verification tools.Endpoint Detection: Ensure EDR solutions are configured to detect common infostealer behaviors, such as process injection and access to volatile memory regions used by browser processes.
References
- Arkanix Stealer: a C++ & Python infostealer by Kirill Korchemny, Omar Amin, Securelist (Kaspersky GReAT)
