OnyxC2 is a commercial-grade stealer malware available via Malware-as-a-Service starting at $250 monthly. It targets approximately 210 applications and extensions across nine categories, including browsers (Chromium and Gecko-based), password managers, cryptocurrency wallets, FTP clients, and email clients. The malware employs encrypted payloads, DLL sideloading (disguised as legitimate NVIDIA DLLs), and in-memory execution to evade detection. It includes a remote-access toolkit with features such as hidden VNC over a browser, LSASS dumping, RunPE, reverse SOCKS5 proxy, keylogger, file manager, reverse shell over HTTP, TOR tunneling, and AES-256 encrypted build downloads. The malware's stealth is confirmed by clean VirusTotal scans upon initial detection. The developers offer multiple purchase options, including a private source code sale. The malware's capabilities enable extensive credential and session data theft, persistence, and standing access to victim systems.

OnyxC2 enables attackers to steal credentials, cookies, autofill data, payment cards, and cryptocurrency wallets from infected hosts, compromising both consumer and business systems. Its ability to harvest data from password managers and two-factor authentication extensions increases the risk of account takeover even after password resets. The malware's persistence and stealth techniques allow prolonged unauthorized access. The inclusion of remote-access tools facilitates further system control and data exfiltration. The malware's initial samples were undetected by antivirus engines, increasing the likelihood of successful infections.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Given the malware's stealth and evasion techniques, organizations should rely on updated endpoint detection and response solutions capable of detecting DLL sideloading and in-memory execution. Network monitoring for unusual outbound connections, especially TOR traffic and reverse proxies, may help identify infections. User education to avoid executing suspicious installers and lures is recommended. Since this is a malware-as-a-service offering, blocking known command and control infrastructure and threat intelligence sharing are important. No official fix or patch is available as this is malware rather than a software vulnerability.