Pierluigi Paganini
June 11, 2026
OnyxC2 appeared on a cybercrime forum earlier this year and is sold as a subscription service: $250 per month for the standard build, $500 for the premium tier that includes HVNC, and $6,000 for an outright source code purchase that comes with an installation guide and optional setup support for buyers who don’t know what they’re doing.
The developers are confident enough in their evasion capabilities to offer refunds if a build gets detected. That’s not bravado. It’s a service guarantee backed by actual technical work.
BlackFog researchers obtained and analyzed two samples. The target list covers 37 Chromium-based browsers and 8 Gecko-based ones, 95 Chromium extensions and 14 Gecko extensions including 6 dedicated two-factor authentication extensions, 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, 5 email clients, and a further spread of VPN, remote access, messaging, note-taking, and gaming applications.
“A stealer that scrapes password managers and 2FA extensions alongside saved logins is built to collect the credentials and session material that survive a password reset. The FTP and email targets push it past consumer credential theft and into the business systems that small finance and operations teams rely on every day.” reads the report published by Blackfog. “One infected host shown in the panel had already surrendered 55 saved passwords, 4,717 cookies, 719 autofill entries, 2 cards, and a wallet.”
One infected host visible in the operator panel had already handed over 55 saved passwords, 4,717 cookies, 719 autofill entries, 2 payment cards, and a cryptocurrency wallet.
The remote access toolkit bundled with the stealer goes well beyond credential harvesting. It includes HVNC over a web browser, LSASS memory dumping, RunPE execution both in memory and on disk, a reverse SOCKS5 proxy, screenshot capture, a keylogger, a file manager, a reverse shell over HTTP, a built-in Tor tunnel, and AES-256-encrypted build downloads. Not all of these appear in the developers’ public sales material, which suggests active development is outpacing the marketing copy. That’s either reassuring or alarming depending on which side of the transaction you’re on.
The delivery mechanism is the technically interesting part. Inside the build is a legitimate application carrying a valid Authenticode signature, which scores zero detections across 71 antivirus engines on VirusTotal. Paired with it is a DLL disguised as an NVIDIA graphics library, with the malicious payload appended after legitimate content so the file looks valid at a glance. When the victim runs the installer, the malicious DLL loads simultaneously via sideloading. The payload stays encrypted until runtime, so there’s nothing to detect on disk before execution begins.
“Both delivery archives came back clean on their first VirusTotal upload, and the malicious component inside them was still unflagged when we last checked on May 30, 2026.” states the report.
The developers aren’t just claiming evasion. They’re delivering it.
The package also ships with ready-made lure installers: FinePrint, SystemSettings, a fake Windows update package, and Fling-Standalone for gaming audiences. These aren’t afterthoughts. They’re distribution assets bundled into the product for buyers who need help getting the payload in front of victims.
“The developer markets OnyxC2 as a complete product, with a Bots page, a Logs page, a Builder, a Users page with roles, and a Settings page offering cloud storage and AES-256 build encryption.” continues BlackFog.”It is software sold and supported like a commercial product, which is what puts a capable stealer in the hands of buyers who could never write one.”
The $250 entry price includes not just the stealer but the entire operational kit: lures, panel access, evasion, and a support channel. At that price point, the barrier to running a credential theft operation is lower than a monthly gym membership most people don’t use.
Persistence is what converts a one-time infection into prolonged access. OnyxC2 is designed to maintain its foothold across sessions, which means one compromised workstation doesn’t yield a snapshot of credentials at a single point in time. It yields continuous access to everything that workstation touches: browsers, password managers, 2FA tokens, email, FTP sessions, VPN credentials, and cryptocurrency wallets, refreshed as the victim keeps working. The combination of a 210-application target list, verified evasion against current antivirus engines, and persistent access turns a single phishing click into standing visibility into someone’s entire working life.
“A stealer with this reach turns one compromised workstation into standing access across a person’s working life.” concludes the report. “Stolen session cookies bypass a fresh login, password-manager vaults hand over the long tail of credentials, 2FA backup material undermines the second factor, and FTP and email connections expose customer systems directly. With HVNC, the operator inherits the victim’s authenticated browser outright.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, OnyxC2)
