A brief look at all things infostealers for the week 20, 2025 (12.05.2025–18.05.2025). This week observed updates from LummaC2, MonsterV2 and KatzStealer infostealers. Grabbed some numbers from marketplaces and some interesting news/articles.
Infostealer Updates
LummaC2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Update 11.05
- Chromium data collection no longer requires closing the browser
- Cleaning WD 10/11 + Cloud + Run-Time
Screenshot from XSS forum
Update 15.05
- Added ability to specify country flag (%flag%) when knocking to Telegram
- Fixed a bug where worker link could allow downloading logs to team members after joining
- Cleaned WD 10/11 + Cloud
Screenshot from XSS forum
MonsterV2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
[+] Added domain search to the stealer panel
[=] Added progress bar when sending CMD/PowerShell
[=] Fixed fonts in some places of the panel
[=] Fixed incorrect frame color for some elements in the panel
[=] Refactoring and optimization of the build code
[=] Fixed potential buffer overflow on the build side when decrypting the response from the server
[=] Fixed a bug where the note input field would “stick” to the screen
[=] Fixed z-index in Telegram settings
[!] Rebuild required!
Screenshot from XSS forum
KatzStealer
Note: On 15 May 2025, a new user on XSS posted an advertisement for a new stealer. But pretty soon the thread was closed as users providing services need to deposit funds to the forum wallet to prevent the potential fraud cases. I doubt that KatzStealer going to deposit 2k USD. Darkweb researcher and good friend of mine, Reza Abasi, has covered the KatzStealer and discovered that it surfaced in the beginning of April 2025. Below is a copy-paste of user’s thread from the XSS forum:
KatzStealer Description
! All CIS are fully blocked – nothing gets grabbed!
Quick Information About Stub:
- Katz Stealer written in C/ASM and Self hosted – ultra-lightweight stealer, flawless execution, zero dependencies, zero runtime requirements, All logs are secured via (Argon2 + SHA256).
- Average build size: 45–89KB (selected features effect executable size), average build time: 3–7 seconds.
- Steals +78 Chromium and Gecko browsers, Support new Cookie (v20) – Grab passwords, autofill, cookies (v20+), history, oAuth Tokens + CVV2 & More
- Fast low-level fully customizable sensitive file grabber (Extensions,Keywords)
- Wallet Extensions and Desktop Wallet ( Support Auto Seed Brute )
- Supports most Wallet Extensions Chrome and Gecko ( +32 Extensions )
- Supports most Mail Clients +8 ( Outlook, Foxmail, Thunderbird,& More )
- Supports most FTP Clients +20 ( FileZilla,WinSCP,FlashFXP, & More )
- Supports most Messenger ( 14+ platforms, including Discord App/Browser Token & Injection, Telegram tdata and & More )
- Supports most VPN ( 18+ VPNs )
Quick Information About Web:
- Katz Web Panel – all logs are end-to-end encrypted with 2FA support, custom log filtering by geo, date, or type filter (Discord, Telegram, games, passwords, seed, cookies, wallets, FTP, etc.), delete and restore logs via Recycle Bin, ULP-powered instant search and export, Quick Interact for search bulk file/folder (Support bulk download), OAuth cookie refresher, folder/file note support, and custom alert templates with variable formatting for Discord/Telegram notifications. Fully customizable build panel with architecture selector, executable server location, self-melting, anti-VM, stealth mode, startup injection, fake error popup with hidden thread support & more
Prices:
We welcome work through a guarantor.
We accept most crypto, upon purchase, you’ll receive a one-time registration code; using it will generate your secure license key and unlock full access to the stealer and web panel.
$100 / month
$270 / three months
$480 / 6 months
Screenshot from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, and the victim numbers in the countries of the Nordic region.
RussianMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 8,845,697 |
| RisePro | 1,429,366 |
| Vidar | 1,350,410 |
| StealC | 1,005,385 |
| RedLine | 789,623 |
| Raccoon | 329,623 |
| Acreed | 90,584 |
| Rhadamanthys | 24,462 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,430,498 |
| Brazil | 1,085,614 |
| Indonesia | 749,150 |
| Egypt | 686,539 |
| Pakistan | 677,609 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 23,297 |
| Denmark | 12,337 |
| Norway | 9,748 |
| Finland | 8,220 |
| Iceland | 1,183 |
| Greenland | 177 |
| Faroe | 116 |
| Åland | 20 |
ExodusMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 347,115 |
| RedLine | 34,981 |
| Unknown | 13,631 |
| StealC | 2,086 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 42,500 |
| Brazil | 31,210 |
| Indonesia | 23,694 |
| Philippines | 16,967 |
| USA | 15,220 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 950 |
| Denmark | 540 |
| Norway | 424 |
| Finland | 344 |
| Iceland | 61 |
Articles/News
DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt
- https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/
Chihuahua Stealer: A new Breed of Infostealer
- https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer