A brief look at all things infostealers for the week 15, 2025 (07.04.2025–13.04.2025). This week observed updates from LummaC2, StealC and mac.c infostealers. Grabbed some numbers from marketplaces and some interesting news/articles.
Infostealer Updates
LummaC2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Update 8.04
- Added Bybit Wallet crypto extension collection
- Fixed a bug that could affect knock
- Fixed a problem when sending logs to Telegram could start to duplicate with a large stream
- Cleanup WD 10/11 + Cloud + Run-Time
Screenshot taken from XSS forum
StealC
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
After the release of stealc_v2 we began to write to us about buying the sources of the first version, we discussed in the team and decided “what good to waste” and decided to put the sources of the first version of stealc for sale.
We sell exclusively 5 copies in order not to cause chaos in the malware market.
What comes with the package:
- full source code of stealc (v1.12.2 – the latest version in the v1 branch) in .sln project format for Visual Studio
- web admin and installer
- support on all questions, help in code integration into your project (or on the contrary we will help you to add your code inside stealc).
- as a bonus telegram bot builder for fast builds (we will help in installation and customization)
- separately we can discuss the possibility of integrating our method of decryption Google Chrome v130+, but for a fee (still sooner or later will reverse and there will be articles with parsing, and so at least have time to use the method and get live cookies, not pulled through debug chrome).
Price:
$3000/source code (yes, literally like the price of the stealc v1 lifetime)
For sale exclusively 5 copies
Agreed for escrow
Screenshot taken from XSS forum
Mac.c
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Great news: we’ve released a major update in which we’ve rewritten the build, changed the method of communication with the panel, and improved everything possible to maximize the speed of our mac.c stealer. Also, the cherry on the cake is a replacement module for the original Ledger Live, which will help you phish seed phrases from your targets!
But what will definitely make you happy: we have moved the project to a faster server, which allows us to eliminate some maintenance costs, and as a consequence, reduce the subscription price. Now our product has become more affordable by 250$ the new monthly subscription price is 1000$!
List of changes and new features
- We have performed a comprehensive optimization of the build, which resulted in increased performance, improved stability and reduced weight of the binary. We reworked some methods in the build code to improve stability and speed up performance. We managed to reduce the build weight from ~140kb to ~86kb without sacrificing performance and functionality.
- A module replacing the Ledger Live app has been integrated, designed to phish seed-phrases from the hardware wallet of the target device. Sending seed-phrases to the buyer can be done in several ways: either the seed-phrase arrives on our dashboard, and you continue to work with it, or we will organize the seed-phrase transmission through your own server to give you more security and confidence.
- Optimization of the panel was also carried out. All panel styles and scripts are now hosted on our server, which has improved the speed of the panel on the TOR network. Some pages have been compressed to speed up their display, and some panel functionality has been modified on the server side for overall panel optimization.
Screenshot from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, and the victim numbers in the countries of the Nordic region.
RussianMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 8,402,732 |
| RisePro | 1,429,530 |
| Vidar | 1,310,457 |
| StealC | 1,005,766 |
| RedLine | 789,847 |
| Raccoon | 329,986 |
| Rhadamanthys | 24,578 |
| Acreed | 18,542 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,360,934 |
| Brazil | 1,046,560 |
| Indonesia | 721,489 |
| Egypt | 660,209 |
| Pakistan | 651,380 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 22,036 |
| Denmark | 11,725 |
| Norway | 9,200 |
| Finland | 7,782 |
| Iceland | 1,129 |
| Greenland | 170 |
| Faroe | 110 |
| Åland | 18 |
ExodusMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 125,867 |
| RedLine | 118,312 |
| Vidar | 55 |
| Unknown | 10 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 37,647 |
| Brazil | 21,962 |
| Indonesia | 20,822 |
| Philippines | 15,544 |
| Pakistan | 13,766 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 663 |
| Norway | 428 |
| Denmark | 412 |
| Finland | 268 |
| Iceland | 46 |
Articles/News
I tried stealing my own browser cookies — here’s what I learned
- https://dev.solita.fi/2025/04/08/cookie-security.html
UAC-0226 Deploys GIFTEDCROOK Stealer via Malicious Excel Files Targeting Ukraine
- https://thehackernews.com/2025/04/uac-0226-deploys-giftedcrook-stealer.html
TROX Stealer: A deep dive into a new Malware as a Service (MaaS) attack campaign
- https://sublime.security/blog/trox-stealer-a-deep-dive-into-a-new-malware-as-a-service-maas-attack-campaign/
Defending against Infostealer Epidemic -Part 1
- https://erdalozkaya.com/defending-against-infostealer-epidemic/
From Shadow to Spotlight: The Evolution of LummaStealer and Its Hidden Secrets
- https://www.cybereason.com/blog/threat-analysis-lummastealer-2.0