Inside OnyxC2: The New Stealer Targeting 210 Apps
OnyxC2 is a malware-as-a-service stealer that emerged in early 2026, targeting approximately 210 applications including browsers, extensions, password managers, cryptocurrency wallets, FTP clients, email clients, and VPN/messaging apps. It is written in C++ with assembly for direct syscalls and achieves high detection evasion through mutated builds. Delivered via DLL sideloading using signed binaries, it offers tiered pricing with advanced remote access capabilities such as HVNC, LSASS dumping, reverse SOCKS5 proxy, keylogging, and reverse shell. Distribution occurs through fake installers in password-protected archives, with command and control communication over Cloudflare-fronted HTTPS domains.
AI Analysis
Technical Summary
OnyxC2 is a sophisticated malware-as-a-service platform sold on cybercrime networks for $250 monthly. It includes a web panel and payload builder, targeting 210 applications across nine categories, notably including 45 browsers, 109 extensions (including 2FA tools), 5 password managers, and 17 cryptocurrency wallets. The malware uses mutated builds to evade detection at a 99% rate and employs DLL sideloading via signed binaries for delivery. Higher subscription tiers unlock remote access features such as hidden VNC, LSASS credential dumping, reverse SOCKS5 proxy, keylogging, and reverse shell capabilities. Distribution is conducted through fake installers delivered as password-protected archives. The malware communicates with its command and control server over HTTPS fronted by Cloudflare, specifically to the domain akmuniverstall.top. There is no indication of known exploits in the wild or vendor patches, as this is a malware threat rather than a software vulnerability.
Potential Impact
OnyxC2 compromises user credentials and sensitive data by stealing information from a wide range of applications including browsers, extensions, password managers, and cryptocurrency wallets. The malware's advanced evasion techniques reduce detection likelihood, increasing the risk of prolonged undetected access. Its remote access capabilities enable attackers to perform credential dumping, keylogging, and establish reverse shells, potentially leading to full system compromise and lateral movement within networks. The theft of two-factor authentication tokens and cryptocurrency wallets poses significant risks to account security and financial assets.
Mitigation Recommendations
No official patches or fixes exist as this is malware rather than a software vulnerability. Mitigation focuses on detection and prevention measures such as blocking the identified command and control domain (akmuniverstall.top), monitoring for the listed malware hashes, and preventing DLL sideloading attacks by enforcing application whitelisting and validating signed binaries. Users should avoid executing software from untrusted sources, especially password-protected archives and fake installers. Endpoint detection and response solutions should be updated to recognize mutated variants of this malware. Network defenses should monitor for unusual HTTPS traffic to Cloudflare-fronted domains associated with this threat.
Indicators of Compromise
- hash: 78945c844fc23dd3446cf17987edeeb6cc21986820c92df82a126af24a5a38d1
- hash: d89bb4b23a67814ef511e4e9dda7ad36fa519a322fa7c25ea451c7dd7ef61e54
- domain: akmuniverstall.top
- hash: b5b603ff57142a454c3b0fb12eb8a4eb
- hash: cf64c7e2e3897ae5fce3d5414e3d1d27
- hash: 04ccc8f9f5e343f94ad9f41f08439b545d4b8486
- hash: c333a821f1764abe2aed2c1ab27d2349f64e4264
- hash: 41999a3d0da035ff8068905c90235ea50121329cb0661e38d745974ebf5e3ae2
- hash: f6e4b09ef788adef3f65fd2b99da8f5be5391be29471676dc07040a56c8fdfab
Inside OnyxC2: The New Stealer Targeting 210 Apps
Description
OnyxC2 is a malware-as-a-service stealer that emerged in early 2026, targeting approximately 210 applications including browsers, extensions, password managers, cryptocurrency wallets, FTP clients, email clients, and VPN/messaging apps. It is written in C++ with assembly for direct syscalls and achieves high detection evasion through mutated builds. Delivered via DLL sideloading using signed binaries, it offers tiered pricing with advanced remote access capabilities such as HVNC, LSASS dumping, reverse SOCKS5 proxy, keylogging, and reverse shell. Distribution occurs through fake installers in password-protected archives, with command and control communication over Cloudflare-fronted HTTPS domains.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OnyxC2 is a sophisticated malware-as-a-service platform sold on cybercrime networks for $250 monthly. It includes a web panel and payload builder, targeting 210 applications across nine categories, notably including 45 browsers, 109 extensions (including 2FA tools), 5 password managers, and 17 cryptocurrency wallets. The malware uses mutated builds to evade detection at a 99% rate and employs DLL sideloading via signed binaries for delivery. Higher subscription tiers unlock remote access features such as hidden VNC, LSASS credential dumping, reverse SOCKS5 proxy, keylogging, and reverse shell capabilities. Distribution is conducted through fake installers delivered as password-protected archives. The malware communicates with its command and control server over HTTPS fronted by Cloudflare, specifically to the domain akmuniverstall.top. There is no indication of known exploits in the wild or vendor patches, as this is a malware threat rather than a software vulnerability.
Potential Impact
OnyxC2 compromises user credentials and sensitive data by stealing information from a wide range of applications including browsers, extensions, password managers, and cryptocurrency wallets. The malware's advanced evasion techniques reduce detection likelihood, increasing the risk of prolonged undetected access. Its remote access capabilities enable attackers to perform credential dumping, keylogging, and establish reverse shells, potentially leading to full system compromise and lateral movement within networks. The theft of two-factor authentication tokens and cryptocurrency wallets poses significant risks to account security and financial assets.
Mitigation Recommendations
No official patches or fixes exist as this is malware rather than a software vulnerability. Mitigation focuses on detection and prevention measures such as blocking the identified command and control domain (akmuniverstall.top), monitoring for the listed malware hashes, and preventing DLL sideloading attacks by enforcing application whitelisting and validating signed binaries. Users should avoid executing software from untrusted sources, especially password-protected archives and fake installers. Endpoint detection and response solutions should be updated to recognize mutated variants of this malware. Network defenses should monitor for unusual HTTPS traffic to Cloudflare-fronted domains associated with this threat.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.blackfog.com/inside-onyxc2-the-new-stealer-targeting-210-apps"]
- Adversary
- null
- Pulse Id
- 6a301309d410a2c508c138d4
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash78945c844fc23dd3446cf17987edeeb6cc21986820c92df82a126af24a5a38d1 | — | |
hashd89bb4b23a67814ef511e4e9dda7ad36fa519a322fa7c25ea451c7dd7ef61e54 | — | |
hashb5b603ff57142a454c3b0fb12eb8a4eb | — | |
hashcf64c7e2e3897ae5fce3d5414e3d1d27 | — | |
hash04ccc8f9f5e343f94ad9f41f08439b545d4b8486 | — | |
hashc333a821f1764abe2aed2c1ab27d2349f64e4264 | — | |
hash41999a3d0da035ff8068905c90235ea50121329cb0661e38d745974ebf5e3ae2 | — | |
hashf6e4b09ef788adef3f65fd2b99da8f5be5391be29471676dc07040a56c8fdfab | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainakmuniverstall.top | — |
Threat ID: 6a3036a80b89be6888612abe
Added to database: 6/15/2026, 5:30:16 PM
Last enriched: 6/15/2026, 5:45:18 PM
Last updated: 6/15/2026, 6:34:40 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.