A brief look at all things infostealers for the week 25, 2025 (16.06.2025–22.06.2025). This week observed updates in MonsterV2, Bee Stealer, StealC, Mac.c, XFiles stealers, and emergence of 123 Stealer. All the screenshots of posts are taken from the XSS forum, unless stated otherwise. Grabbed some numbers from marketplaces and some interesting news/articles.
Infostealer Updates
MonsterV2
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
[+] Added Windows Credential Manager data collection
[=] Optimized stealer log receiver
[=] Optimized build code, removed unnecessary copying
[=] Updated libraries for Daemon
[!] Rebuild required!
Bee Stealer
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
update
fixed builder, added possibility to add your own proxies
now table is filtered by date
StealC Stealer
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Stealc v2.5.0 update
Build:
- improved app bound key decode, added key retrieval attempts
- reworked key transfer from chromium module to main process (named pipes were causing problems with some inject types)
- fixed and improved Brave (app bound encryption) collection
- fixed and improved Opera collection
- added generation of both x64 and x32 versions in admin panel
Admin-panel:
- now builder archives both x32 and x64 versions of builds at once
- improved search by dates, added possibility to select by hours and minutes (previously it was only by days)
- in the display window of decrypted mnemonic phrases, the list of eth-addresses and the list of added networks were moved to a new line.
- added upload parameter for search – allows to sort only uploaded logs
- improved decoded mnemonic phrases window – now debank links are generated immediately in the list of wallet addresses for quick jump to the balance
- improved free disk space calculation widget – now correctly displays free space
- added subscription expiration date to the administrator drop-down menu
- fixed unloading of large logs in one file (previously could cause 500 error)
Rest API:
We are opening access to Rest API for users! The admin area was originally written around the API, but by 2.0 we didn’t have time to test everything and prepare documentation. Now the documentation is available in the admin, as well as creating access_tokens to work with the API.
- Bilder API (create, edit builds)
- Logs API (work with logs – search, download and all that is in the admin)
- Mass logs unloading API
Mac.c Stealer
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
We are glad to present you a new major update: transforming our project panel, adding new browsers collection, Safari notes and cookies collection, xProtect protection mechanism, adding Trezor module to our already existing Ledger module, new file grabber and completely new, and most importantly clean, builds!
List of changes and new features
- Completely redesigned client build from scratch, which was worked on for over a month. The new approach to collecting information from devices provides more efficient and reliable data collection. An automatic build cleanup mechanism has been implemented, which allows creating unique builds capable of bypassing XProtect protection.
- Expanded browser support for data collection: Chrome, Yandex, Brave, Edge, Vivaldi, Opera, OperaGX, Chrome Beta, Chrome Canary, Chrome Dev, Arc, Coccoc, and Safari (cookie only) are now supported.
- To the already existing Ledger module, the Trezor module has been added, which are bundled. Note that Ledger and Trezor modules are sold separately for a one-time payment of $1000. Improved operation of the replacement modules: replacement is seamless, even when the original application is open, without notifications or permission requests from the user.
- Completely rewritten the file grabber, which can now be activated in the builder panel. Note that disabling the file grabber also disables Safari’s collection of notes and cookies – keep this in mind when creating builds.
Change in subscription price
Due to the expansion of the functionality and improvement of the product quality, the monthly subscription price has been increased to $1500. To celebrate the release of the update there is a special offer: until June 27, 2025 (inclusive) the subscription is available at the price of $1000.
XFiles Spyware
Note: The update posts are copy-pasted as is (and machine-translated if post wasn’t available in English, possibly with some minor edits by me)
Update stealer 3.22.0
- Added the ability to filter logs that have already been downloaded by you, regardless of whether they are on your disk or not
- Added button to download multiple logs as 1 archive
- Added the ability to select logs by pages (the selection is not removed when moving to another page)
- Unfortunately we no longer support the powershell command.
123 Stealer
Made a separate post. Click-click.
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, and the victim numbers in the countries of the Nordic region.
RussianMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 9,113,196 |
| RisePro | 1,429,183 |
| Vidar | 1,384,667 |
| StealC | 1,025,794 |
| RedLine | 789,420 |
| Raccoon | 329,362 |
| Acreed | 232,259 |
| Rhadamanthys | 24,426 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,491,022 |
| Brazil | 1,115,255 |
| Indonesia | 772,626 |
| Egypt | 707,265 |
| Pakistan | 694,001 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 24,366 |
| Denmark | 13,006 |
| Norway | 10,228 |
| Finland | 8,623 |
| Iceland | 1,225 |
| Greenland | 182 |
| Faroe | 117 |
| Åland | 21 |
ExodusMarket
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 455,679 |
| RedLine | 35,101 |
| Rhadamanthys | 29,777 |
| Unknown | 13,626 |
| StealC | 8,126 |
| Vidar | 4,695 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 58,692 |
| Brazil | 40,923 |
| Indonesia | 32,952 |
| Philippines | 20,751 |
| USA | 20,163 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 1,424 |
| Denmark | 825 |
| Norway | 627 |
| Finland | 481 |
| Iceland | 76 |
Articles/News
Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation
- https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/
Lumma Stealer meets Forensics
- https://nexusfuzzy.medium.com/lumma-stealer-meets-forensics-baa59c9b9817
Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
- https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication
Security Bite: Infostealer malware spikes 28% among Mac users, says Jamf
- https://9to5mac.com/2025/06/17/security-bite-infostealer-malware-spikes-28-among-mac-users-says-jamf/