DeXpose logo
Get Demo

Deep Dive into Arkanix Stealer and its Infrastructure

Infostealers, Malware analysis, Researches

Arkanix Stealer is an actively developed credential‑theft malware family that is primarily advertised on Discord, where its operators have been promoting rapid updates and new feature additions.

While the initial release of Arkanix was written in Python, the threat actors have since expanded its capabilities by implementing a C++ variant, marketed as a “Premium” edition.

Distribution for both versions appears to rely on Discord, where the malware is shared under the guise of legitimate tools, as well as on various online forums. The Premium tier further extends its functionality by offering the theft of VPN accounts, Steam accounts, screenshots, and Wi‑Fi credentials, alongside paid “Support.” To hinder analysis and detection, Arkanix Stealer’s payloads are obfuscated using VMProtect.

Stealer Capabilities and Functionality

Arkanix Stealer provides a wide collection of credential theft and data harvesting features across multiple categories. Its behavior can be broken down into the following major capability groups:

  • Security Evasion: Arkanix bypasses AMSI and ETW to evade malware scanners and security solutions that rely on event logging.

  • Anti‑Analysis & Anti‑VM: The stealer is protected with VMProtect and employs multiple anti‑analysis and anti‑VM techniques, including debugger detection, virtualized environment checks, sleep‑skipping detection, and more.

  • Browser Data Exfiltration: Arkanix targets Chromium‑based browsers and uses ChromElevator to bypass App‑Bound Encryption (ABE), allowing it to extract sensitive browser data.

  • Cryptocurrency Wallet, Password Manager, and 2FA Extension Theft: It targets various browser‑based cryptocurrency wallets, password managers, and two‑factor authentication extensions.

  • Multi-Application Credential Harvesting: Arkanix targets and extracts sessions and credentials from a wide range of applications, including Discord variants, gaming clients, multiple VPN clients, RDP connection files, FileZilla, and Telegram.

  • WiFi Credential Harvesting: The stealer retrieves stored WiFi profiles and decrypts the associated credentials.

  • System Information Collection: The malware gathers detailed system metadata, including CPU, GPU, RAM, operating system version, timezone, hardware identifiers, etc.

  • Screenshot Capture: It captures full‑screen screenshots.

  • Command‑and‑Control (C2) Communication: Arkanix packages all collected data and exfiltrates it to a remote command‑and‑control server.

Arkanix’s Infrastructure Analysis

The Arkanix Stealer Panel is accessible at arkanix[.]pw/login. Account creation for the web panel is restricted and requires an invite code, which operators distribute through their Discord server.

Arkanix login panel — Source: G DATA Security Blog
Arkanix Dashboard — Source: G DATA Security Blog

Before diving deeper into the stealer analysis, it’s helpful to look at the infrastructure supporting the Arkanix panel and how the domain is actually hosted.

arkanix[.]pw domain is hosted behind Cloudflare

When a website uses Cloudflare all incoming traffic to that website first goes through Cloudflare’s servers. Cloudflare then forwards the requests to the the actual server hosting the site.
Because all requests go through Cloudflare, the domain resolves to Cloudflare IP addresses instead of the origin server’s IP. This means when you do a DNS lookup, you only see Cloudflare’s IP, not the real server.

Validin connects to each virtual host at its assigned IPv4 address, using SNI to retrieve virtual-host-specific TLS certificates and custom server headers to get virtual-host-specific server responses. This approach ensures thorough coverage across the millions of domains protected by Cloudflare.

When attackers expose their origin IPs to web crawling, Validin links the Cloudflare-hosted IPs and responses, associated via DNS, to the origin IPs that may present Cloudflare-issued certificates. This mapping enables the identification of IPs shielded by Cloudflare. While threat actors rely on proxies like Cloudflare to conceal their infrastructure, leaving origin IPs publicly accessible is an OPSEC oversight that allows them to be tracked.

In Host Connections tab, most entries are related to Cloudflare. But in the second page, there are 2 interesting IPs which are not associated with Cloudflare.

Both IP addresses are hosted by 1984 Hosting, an Iceland-based service provider operating under Autonomous System Number AS44925.

However, 195.246.231[.]60 is more important for us. This IP directly hosts the malware’s control panel on port 5000, running a Python backend served through the Waitress WSGI application server. the server is configured to accept cross-origin requests from arkanix[.]pw

Understanding the infrastructure helps in tracking and hunting additional C2 servers used by the malware.

Bypass AMSI By Memory Patching

The malware first load amsi.dll and resolve the address of AmsiScanBuffer function which is responsible for scanning memory buffers for malware.

Next it changes the memory permissions of the function to PAGE_EXECUTE_READWRITE to overwrite the beginning of the AmsiScanBuffer function.

It then writes two values:

  • First Value: 0x070057B8 in Little Endian is stored as: B8 57 00 07
  • Second Value: 0xC380 is stored as 80 C3.

When combined, the final byte sequence becomes: B8 57 00 07 80 C3

These bytes correspond to assembly instructions

B8 57 00 07 80    MOV EAX, 0x80070057

C3                RET

These instructions are a well known AMSI bypassing, By forcing the function to return 0x80070057 (E_INVALIDARG) immediately, the malware effectively bypasses the actual malware scan. The calling process assumes the scan failed or was invalid, allowing potentially harmful code to run undetected.

ETW Bypass

Next Arkanix bypass Event Tracing for Windows (ETW) a powerful, kernel-level logging mechanism built into the Windows and used by modern security tools (EDR and Antivirus) to detect malware.

It loads ntdll.dll and get the address of EtwEventWrite function, and like the previous bypass function, it change the protection of the function to PAGE_EXECUTE_READWRITE and place 0xC3 (RET) at the very first byte of the function.

That forces EtwEventWrite to return immediately to the caller without executing any of its logging logic, effectively avoiding any detection based on event logging.

Anti-VM Techniques

Arkanix applies the usual anti-vm detection techniques, checks if the machine has less than 2 cores, and checks if the system has less than 2GB of RAM

Then it queries HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

It checks if the identifier value contains one of the following values

VBOX
VMware
QEMU
Virtual

It also try to query HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools

If any hardware checks fail (Low CPU/RAM), any Registry Strings match the blacklist or the registry key VMware, Inc.\VMware Tools opens successfully the function returns 1.

Next Arkanix tries to open Sandbox and VBoxGuest drivers, try to load SbieDll.dll and checks the hostname against a blacklist: “CUCKOO”, “ANALYSIS”, “VIRUS”, “MALWARE”

Later performs the same validation on the current username using the same blacklist, with additional values “admin” and “test”.

If Sandbox or VBoxGuest driver exists, Sandboxie DLL is successfully loaded, or the computer name contains “CUCKOO”/”MALWARE”/etc., the function exits with 1.

Then it checks if it is being debugged using IsDebuggerPresent and CheckRemoteDebuggerPresent. If these APIs return zero (indicating no debugger is detected), the malware triggers a software breakpoint exception using DebugBreak() (opcode INT 3). This serves as a control flow trap: in a normal environment, this exception is caught by the malware’s own Structured Exception Handler (SEH), which manually redirects the Instruction Pointer (RIP) to xor al, al instruction, which zero-out eax and return.

Next it scans the list of all proccess and compare it with a list of debuggers, sniffers, and analysis tools, if it detect one of them, it returns 1

procmon.exe
procmon64.exe
processhacker.exe
procexp.exe
procexp64.exe
wireshark.exe
fiddler.exe
charles.exe
ollydbg.exe
x64dbg.exe
x32dbg.exe
windbg.exe
ida.exe
ida64.exe
idaq.exe
idaq64.exe
ghidra.exe
dnspy.exe
ilspy.exe

Finally It use GetTickCount64 to record the time, sleeps for 1000ms, and then run GetTickCount64.

If the difference is less than 900ms, it assumes the Sleep function was bypassed by a sandbox and returns 1.

It also performs the same test but uses CPU cycles/frequency, If the result is < 0.9 seconds it returns 1.

Extracting Browsers Credentials

Arkanix targets a wide range of Chromium-based browsers to maximize credential theft and data collection. The supported browsers include:

  • Google Chrome
  • Microsoft Edge
  • Brave
  • Opera Stable
  • Opera GX
  • Opera One
  • Vivaldi
  • Epic Privacy Browser
  • Yandex Browser
  • CentBrowser
  • Coc Coc
  • UC Browser
  • Chromium
  • Iridium
  • Uran
  • 7Star Browser
  • Torch
  • Kometa
  • Orbitum
  • Sputnik
  • Amigo
  • Slimjet
  • Chrome SxS (Canary)

Beginning with Chrome version 127, Google introduced App-Bound Encryption (ABE), a security mechanism designed to ensure that sensitive browser data — such as cookies, session tokens, and stored credentials — can only be decrypted by the Chrome application itself. ABE binds Chrome’s encryption keys to the specific application instance, preventing external processes, malware, or forensic tools from decrypting or reusing the protected data.

Arkanix Stealer use ChromElevator (Chrome App-Bound Encryption Decryption) a post-exploitation tool that bypasses Chromium’s App-Bound Encryption (ABE) by reflectively hollowing a suspended browser process and running a fileless payload inside This allows the stealer to leverage the legitimate browser’s own process context to perform decryption operations, effectively accessing data that is normally protected by ABE. This tool is inside Arkanix resources with name BINARY.

ChromElevator only supports Chrome, Brave and Edge, so it won’t be able to extract passwords, cookies and payment data from the other browsers.

Arkanix passes to ChromElevator a parameter to specify the browser and the output path. For example, when targeting Microsoft Edge:

C:\Users\M4lcode\AppData\Local\Temp\cl_<randomvalue>.exe\" edge --output-path \"C:\Users\M4lcode\AppData\Local\Temp\arkanix_sa1xVPfv\

Arkanix waits 60 seconds for the tool to extract data and then moves the extracted credentials from

C:\Users\M4lcode\AppData\Local\Temp\arkanix_sa1xVPfv\Edge\Default

To

C:\ArkanixData\Edge

It repeats this extraction workflow for every browser and then collects the remaining data (e.g., autofills).

Arkanix includes a fallback function that attempts to use COM and each browser’s Elevation Service (via their respective CLSIDs) to decrypt Chromium’s master key from the Local State file, then use it to decrypt AES‑GCM credentials from the Login Data database. However, during dynamic analysis, this function failed and didn’t extract data, indicating that this bypass method is ineffective, at least in newer browser versions.

Extracted cookies:

Extracted passwords:

Autofils:

Next it construct path to \Local Extension Settings\ to target a list of high-value browser extensions. It focuses on three categories:

Cryptocurrency wallets:

  • MetaMask
  • Phantom
  • Coinbase
  • Trust Wallet
  • Binance Chain
  • TronLink
  • Ronin Wallet
  • Exodus
  • Rabby
  • Core
  • OKX Wallet
  • Keplr
  • Solflare
  • Nami
  • Eternl

Password Managers:

  • LastPass
  • 1Password
  • Bitwarden
  • Dashlane
  • NordPass
  • Keeper
  • RoboForm

Two-factor authentication (2FA):

  • Authenticator
  • Authy
  • Google Authenticator

Games Extraction

Arkanix also targets multiple gaming clients, attempting to extract stored session tokens from platforms including:

  • Steam
  • Epic Games Launcher
  • Battle.net
  • Riot Games
  • Unreal Engine
  • Origin
  • Ubisoft Game Launcher
  • GOG.com

WiFi Credential Harvesting

Arkanix then use Windows WLAN APIs to enumerate all wireless interfaces, list every saved WiFi profile, and retrieve each profile’s XML configuration. It then parses the XML to extract the SSID and associated security parameters.

To decrypt WiFi keys, Arkanix use two functions:

  1. sub_1400AC55C converts the encoded keyMaterial into a binary blob
  2. sub_1400AD04C calls CryptUnprotectData to decrypt the DPAPI‑protected WiFi password under the victim’s user context.

Targeting Discord Variants

Arkanix targets multiple Discord clients and modifications

Discord Variants:

  • discord
  • discordcanary
  • discordptb
  • discorddevelopment
  • lightcord
  • discordmod
  • BetterDiscord
  • Vencord
  • GooseMod
  • EnhancedDiscord
  • DiscordInjector

Web-based Discord

  • Google Chrome
  • Microsoft Edge
  • Brave
  • Opera
  • Opera GX

It scans .ldb and .log (LevelDB database files) for the standard Discord token and 2FA-enabled token, decrypt the token and queries the Discord API endpoint  /api/v9/users/@me to retrieve user information.

According to gdata-software.com blog, if self‑spreading is enabled, Arkanix can send itself to contacts and channels via Discord.

RDP Harvesting

Arkanix also scans desktop and downloads folders for saved Remote Desktop Protocol (RDP) connection files (.rdp)

For every .rdp file found, it reads the content line-by-line and extracts key fields, including:

  • full address:s:
  • username:s:
  • password 51:b:
  • server port:i:

It then uses CryptUnprotectData to decrypt the password and saves all extracted fields in rdp.json file.

Extracting System Information

After collecting rdp data, the stealer proceeds to gather detailed information about the host system. The collected system details include:

  • HWID
  • Computer name
  • Username
  • IP Address
  • Operating System
  • CPU
  • GPU
  • RAM
  • Screen Resolution
  • Time Zone
  • Language
  • Antivirus
  • Administrator (YES OR NO)
  • Virtual Machine (YES OR NO)

Arkanix uses capCreateCaptureWindowA API to capture a screenshot and save it in screenshots folder.

Exfiltration

Finally, the stealer bundles all collected information by compressing the entire C:\ArkanixData folder into %temp%\arkanix_data.zip. Once the archive is prepared, it exfiltrates the file via an HTTP POST request to:

https://arkanix[.]pw/api/upload/direct

To authenticate and tag the upload, the malware constructs custom HTTP headers:

  • User-Agent: ArkanixStealer/2.0
  • Content-Type: application/zip
  • X-Payload-ID: aLWDKwTA-lJQ14dahGg5Qw
  • X-User-ID: 60
  • X-Timestamp: 1765482649
  • X-Signature: f7d53884a35e5f5149ac4d4d2a2de75b15283edd43ec891e9eae05d194e02b1a — computed HMAC-SHA256 signature

IOCs

Arkanix Stealer: 6960d27fea1f5b28565cd240977b531cc8a195188fc81fa24c924da4f59a1389

ChromElevator 99b8d3e04f6b16f3b79391360602ca28651c78a0db2f3868fec11eca71727a3d

C2: https://arkanix[.]pw/api/upload/direct

Origin server’s IP: 195.246.231[.]60

Secondary IP: 93.95.226[.]152

Dropped Files:
%temp%\cl_frAQBc8W.exe
%temp%\stealer_debug.txt
%temp%\stealer_log.txt
%temp%\upload_debug.txt
%temp%\signature_debug.txt
%temp%\stealer_final.txt
%temp%\arkanix_data.zip

Refrences

– https://www.gdatasoftware.com/blog/2025/12/38306-arkanix-stealer

Free Dark Web Report

Keep reading

Threat Actor Profile

Threat Actor Profile: APT27

m.farghaly
Who is APT27? APT27 — also known as Emissary Panda, Iron Tiger, and LuckyMouse — is a Chinese state-sponsored cyber-espionage…