StealC V2 – A Major Update to a Popular Infostealer

In the beginning of March 2025, user of XSS forum “plymouth” made a post in their stealer thread about the upcoming major update to the infostealer. Finally, on 30th March they posted announcement and details of the StealC V2 release. According to the user, the development of the second version took half a year, and in its essence, it is entirely new software.

Me being me, I decided not to bother too much and, instead, just dump a machine translation of the user’s post, with some minor edits from my side. The screenshots of the panel are taken from the same post.

Screenshot from XSS forum with the post on the StealC update

Stealc_v2 release!

We are glad to present you a brand-new version of our stealer!
The development took almost half a year — this is a completely new software, not borrowing almost anything from the old versions of stealc.

This is a completely new code base, a completely new approach to stealc development in principle! The key changes in the new version are: fully server-side decryption of Chromium browsers, automatic brute forcing of crypto-plugins (only MetaMask is supported on the release so far) and a builder built right into the admin panel.

Short list of changes:

We have redesigned our software in such a way that you do not have to learn how it works — now everything is as simple, accessible and understandable as possible.

Now you have at your disposal a builder built right into the admin panel without any restrictions on the number of builds, a system of users and workers, automatic brute force of crypto-plugins right on your server.

A slightly less concise list of changes:

Build:

developed in C++ for X64 architecture, at the moment there is no support for X32 and at the moment we don’t see any sense in it (if necessary we can make a separate version for X32)
all data between builds and the server is encrypted using our own algorithm based on RC4.
new, more advanced HWID
correct RAM counting with rounding up to gigabytes
more detailed information about displays (listing the device name, graphics card used, resolution of each display, pixel density)
number of processes
installed software is now divided into all users and current user
desktop screenshot can now capture all monitors
all data is now decrypted on the server side, the build has almost no interaction with crypto API
full support for new chrome encryption (with v20 prefix)
completely new file collection code — now browser collection, plugin collection, wallet collection are unified with grabber and work with the same code — no more almost complete duplicates of functions
huge number of changes in function execution compared to the previous version of stealc
no memory leaks, build uses ~3-5 megabytes of RAM while running (not counting getting configuration file)
new plugin fetching, for example MetaMask now fetches correctly again, as it did before MetaMask updates

Web:

new web written from scratch specifically for the v2.0.0 update
added dark theme
user system (two roles — admin and worker)
worker can be assigned a build, access to logs from which he will have access
also worker will have access to the assigned build directly in the admin panel.
2FA system — own QR generator, local verification of entered one-time codes without interaction with third-party servers
completely new, logical, Telegram bot: now it is enough to make one click on the link to bind your account.
Log parsing has been deprived of unused parameters, only useful ones remain, including search by successfully decrypted seeds
settings of grabber, loader, markers are now made as logically as possible (for example, for loader you can not enter country codes, but list them directly by name).
built-in admin panel builder
update system that does not require reinstallation of the admin panel

Gate:

List the gate changes separately, as the vast majority of decryption work now resides on the server
encryption of all traffic using a custom RC4-based algorithm
full decryption of chromium-encryption of v10 version
full decryption of chromium encryption version v20
decryption of chrome cookies directly from the database (as it was before chrome v128 update)
decrypt chromium passwords on the server side
credit card data decryption, as well as CVV2 decryption (carding is alive again?)
restore token decryption for google chrome
browser history decryption
automatic bruteforcing of crypto-plugins by password list from the log, saving syd phrases and wallet address to the log.
at the moment only MetaMask is available, we will add other plugins and wallets for automatic decryption in updates.