A brief look at all things infostealers for the week 3, 2026 (12.01.2026 –18.01.2026). Updates in Misericorde, StealC, Xillen, Void stealers. Grabbed some numbers from marketplaces and few interesting news/articles for you to read.
Infostealer Updates
Misericorde Stealer
Hotfix has just been released.
The list of changes:
Client changes –
- Updated decryption method for chromium browsers
Screenshot taken from BHF forum
StealC Stealer
Stealc v2.11.0 update
Build:
- Major cleanup of scantime/runtime code
Database:
Opera GX collection restored
Sigma AI Browser collection added
Preferences file collection for Brave Wallet added
Admin panel:
Delete button added to delete logs based on a query on the Logs page (similar to the Download and Search buttons)
Added the ability to select a larger number of logs per page (now you can choose between 10, 25, 50, 100, 200, 500, 1000 logs per page)
Fixed icons for previously added browsers
Screenshot from XSS forum
Xillen Stealer
Minor Update V5.2.2
Full recode in C, clean code, all bloat removed. Post-morph & obfuscation size ~168 KB.
What’s done:
• Full browser collection (cookies, passwords, autofills)
• Game clients, VPN clients
• Wallet bruteforce — full BETA release. Smart password extraction from victim’s logs + extended Top-150 dictionary
• 600+ wallets (desktop & extensions)
• Full file grabber by keywords
• Sending to up to 10 Telegram bots (different chat IDs & tokens)
• Improved clipper
• C2 panels optimized — build compilation in 10-15 seconds
• Fixed Steam, tdata Telegram, Epic Games collection
• Everything in memory
• Fixed cookie collection for Firefox and all its forks
• Completely rewritten private morpher
• Significantly improved anti-detection
• Fixed panel customization
Note: Chromium decryption may have intermittent issues due to its update. First run always successful, subsequent runs may require fixes. Engineers are on it.
Next update (V5.2.3) this month:
• Full HVNC (currently under recode)
• Build merging
• Personal C2 deployment
• Pricing plans (including Team)
• Migration to more powerful server
Our clients receive earlier and more detailed updates.
Screenshot taken from BHF forum
Hotfix 5.2.2a: Chrome 144 Bypass + Bot Update + Price Drop
Due to Chrome updating to version 144.0.7559.60, we’ve released an urgent fix.
What’s fixed:
1. Full Chrome 144 Adaptation:
- Fixed password and cookie collection for the latest browser update.
- Bypassed new data locking mechanisms.
- Collection works stable, including repeated run.
2. Telegram Bot Improvements (by client requests):
- Build Separation: Build with bots [Bot1;Bot2;Bot3] → logs only to specified bots. Build without bots → logs to user bots (as before).
- Message Signatures: Build: MyBuild [VIP] (ID: 123)
- Clean Isolation: Each client sees only logs from their own builds.
3. New “FOREVER” Plan Price:
$1500 (was $3000)
What “FOREVER” includes:
• Full lifetime access
• All future updates (including HVNC in 5.2.3)
• Priority support
Full 5.2.3 update with HVNC and new features coming soon.
Screenshot taken from BHF forum
The Void Stealer
Scheduled cleanup:
Approximately 7 detections removed:
Avast – Win64:MalwareX-gen
AVG – Win64:MalwareX-gen
Arcabit – Trojan.Tedy.DCFC41
G Data – Gen:Variant.Tedy.851009
F-Secure – TR/W64.Agent
Norman – Win64:MalwareX-gen
Windef – WallStealer
Cleaned. Proxies replaced. Old builds are working.
In update 144, Chrome changed the method of storing the v20 key.
The software functionality has been updated to work with new versions of Chrome.
Screenshot from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, the victim numbers in the countries of the Nordic region. In addition, see the CryptPad spreadsheet for more meaningless numbers.
Marketplace Updates Spreadsheet 2026
The below spreadsheet contains meaningless numbers taken in 2025:
Marketplace Updates Spreadsheet 2025
Russian Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 7,012,162 |
| Vidar | 933,720 |
| Acreed | 842,133 |
| StealC | 806,359 |
| Rhadamanthys | 532,276 |
| RedLine | 192,109 |
| RisePro | 145,525 |
| Raccoon | 5,075 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,213,892 |
| Brazil | 750,667 |
| Indonesia | 570,673 |
| Egypt | 490,615 |
| Pakistan | 417,904 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 23,198 |
| Denmark | 12,714 |
| Norway | 10,442 |
| Finland | 8,552 |
| Iceland | 1,147 |
| Greenland | 158 |
| Faroe | 111 |
| Åland | 24 |
Exodus Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| StealC | 9,565 |
| Vidar | 9,051 |
| Lumma | 6,641 |
| Rhadamanthys | 6,407 |
| RedLine | 3 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 4,276 |
| Brazil | 2,274 |
| Turkey | 1,813 |
| USA | 1,736 |
| Bangladesh | 1,723 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 94 |
| Denmark | 47 |
| Norway | 46 |
| Finland | 37 |
| Iceland | 5 |
Articles/News
TamperedChef serves bad ads, with infostealers as the main course
- https://www.sophos.com/en-us/blog/tamperedchef-serves-bad-ads-with-infostealers-as-the-main-course
New Infostealer Campaign Targets Users via Spoofed Software Installers
- https://blog.virustotal.com/2026/01/malicious-infostealer-january-26.html
Infection repeatedly adds scheduled tasks and increases traffic to the same C2 domain
- https://isc.sans.edu/diary/32628
UNO reverse card: stealing cookies from cookie stealers
- https://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers