Executive Summary
Publication Date: June 2026
The emergence of OnyxC2 Stealer marks a significant escalation in the Malware-as-a-Service (MaaS) landscape, offering cybercriminals enterprise-grade credential theft and remote access capabilities for as little as $250 per month. This report provides a comprehensive analysis of OnyxC2, examining its technical innovations, operational risks, and the broader implications for organizational security and supply chain integrity.
Introduction
OnyxC2 is a sophisticated stealer toolkit that surfaced on cybercrime forums in early 2024. Marketed as a complete credential theft and remote access solution, it is designed for stealth, persistence, and ease of use, targeting a wide array of applications and platforms. Its rapid adoption and advanced evasion techniques have made it a formidable threat to organizations of all sizes, particularly those with complex third-party dependencies.
Technical Analysis
OnyxC2 is engineered to harvest credentials, session cookies, and sensitive data from approximately 210 applications and extensions, spanning browsers, password managers, two-factor authentication (2FA) tools, cryptocurrency wallets, FTP clients, email clients, VPNs, remote access tools, messaging platforms, note-taking apps, and gaming software. The stealer’s core is written in C++ with assembly for direct syscalls, and each build is uniquely mutated to evade signature-based detection.
The malware employs advanced delivery mechanisms, notably DLL sideloading and the use of legitimate signed binaries. A typical infection involves a legitimate application with a valid Authenticode signature, paired with a malicious DLL disguised as a trusted library (such as an NVIDIA graphics component). The payload remains encrypted until runtime, rendering it virtually invisible to traditional antivirus solutions. According to independent analysis, a runtime scan of OnyxC2 showed detection by only 2 out of 18 antivirus engines, while the signed host executable scored zero detections across 71 engines on VirusTotal.
Persistence is a key feature, with OnyxC2 maintaining access across user sessions. This enables continuous exfiltration of credentials, session tokens, and other sensitive data, even as users update passwords or enable additional security measures. The malware supports both EXE and DLL output, Cloudflare-fronted HTTPS command-and-control (C2) channels, anti-virtual machine detection, scheduled-task autorun, self-copying, and loader functionality. All payloads and build downloads are protected with AES-256 encryption.
Key Innovations and Differentiators
OnyxC2 distinguishes itself through several technical and operational innovations. Its use of legitimate signed binaries for DLL sideloading exploits trust in the software supply chain, allowing it to bypass many endpoint security controls. The modular architecture and web-based control panel lower the barrier for less-skilled attackers, enabling them to launch sophisticated campaigns with minimal effort. The developers’ confidence in their evasion techniques is underscored by their offer of refunds if a build is detected, and the product’s active maintenance ensures rapid evolution and adaptation to new security measures.
The stealer’s reach is unprecedented, targeting not only consumer applications but also business-critical systems such as FTP and email clients. This extends the impact of a single compromise from individual credential theft to persistent access across an organization’s operational infrastructure.
Security Implications and Risks
The security implications of OnyxC2 are profound. By scraping password managers, 2FA extensions, and session cookies, the malware can bypass many of the controls organizations rely on to protect sensitive data. One observed infection resulted in the theft of 55 saved passwords, 4,717 cookies, 719 autofill entries, two payment cards, and a cryptocurrency wallet from a single host.
The use of legitimate signed binaries and encrypted payloads makes detection and remediation extremely challenging. OnyxC2’s persistence mechanisms ensure that attackers maintain long-term access, enabling ongoing surveillance, data theft, and lateral movement within compromised environments. The risk is further amplified by the malware’s ability to exploit supply chain trust, as attackers do not need to exploit vulnerabilities in signed binaries—simply placing a malicious DLL with the expected name alongside a trusted executable is sufficient.
Supply Chain and Third-Party Dependencies
OnyxC2 leverages the integrity of the software supply chain to facilitate infection. By using authentic software and signed installers, it can evade many traditional security controls. This highlights the critical importance of supply chain risk management, as organizations increasingly rely on third-party software and vendors. Regular validation of third-party software integrity, advanced endpoint protection, and behavioral monitoring are essential to detect and prevent such attacks.
Security Controls and Compliance
To defend against threats like OnyxC2, organizations must implement advanced endpoint protection, application whitelisting, and behavioral monitoring capable of detecting sideloading and encrypted payloads. Regular supply chain risk assessments and validation of third-party software are critical. Compliance frameworks such as NIST and ISO 27001 require robust controls for credential management, privileged access, and incident response—all of which are directly threatened by OnyxC2’s capabilities.
Industry Adoption and Integration Challenges
The ease of use, modularity, and persistent access features of OnyxC2 make it attractive to a wide range of cybercriminals, from opportunistic attackers to those conducting targeted campaigns. Its web-based control panel and builder lower the technical barrier to entry, increasing the risk profile for organizations of all sizes, particularly those with limited security resources or legacy systems.
Vendor Security Practices
The developers behind OnyxC2 demonstrate a customer-centric approach to criminal service delivery, offering refunds for detected builds and actively maintaining the product. Features in the control panel that are not yet advertised suggest ongoing development and rapid evolution, further complicating defensive efforts.
Cyber Perspective
From a cyber defense perspective, OnyxC2 represents a significant escalation in the commoditization of advanced credential theft and remote access capabilities. Its use of legitimate signed binaries for sideloading, persistent access, and encrypted exfiltration channels makes it extremely difficult to detect and remediate. Attackers can leverage OnyxC2 to gain long-term, stealthy access to both consumer and enterprise environments, bypassing traditional security controls and undermining multi-factor authentication and password management best practices.
For defenders, this necessitates a shift from signature-based detection to behavioral analysis, supply chain validation, and robust incident response. The risk of supply chain compromise is heightened, as OnyxC2 exploits trust in legitimate software. Organizations must be vigilant about third-party dependencies and enforce strict controls on software installation and execution.
The market impact is profound: OnyxC2 lowers the technical barrier for cybercriminals, enabling a wider range of actors to launch sophisticated attacks. This increases the threat landscape for all organizations, especially those with limited security resources or legacy systems.
About Rescana
Rescana’s Third-Party Risk Management (TPRM) platform is designed to help organizations identify, assess, and mitigate risks from supply chain and third-party dependencies. Our platform provides continuous monitoring, automated risk assessments, and actionable insights to ensure your vendors and partners adhere to the highest security standards. With Rescana, you can proactively manage your third-party ecosystem, reduce exposure to advanced threats, and maintain compliance with industry regulations. Let us help you build a resilient and secure supply chain—contact us to learn more about our TPRM solutions.
We are happy to answer any questions at ops@rescana.com.
Sources: https://www.blackfog.com/inside-onyxc2-the-new-stealer-targeting-210-apps/ https://securityaffairs.com/193523/malware/onyxc2-malware-as-a-service-offers-enterprise-grade-data-theft.html?amp
