A brief look at all things infostealers for the week 4, 2026 (19.01.2026 –25.01.2026). Updates in StealC, Xillen, Void stealers. Oh, and Bluefox Stealer is back! Grabbed some numbers from marketplaces and few interesting news/articles for you to read.
Infostealer Updates
BLUEFOX Stealer
I am building a client base for work in the new year, and the number of places is limited.
I am looking for long-term cooperation and reliable partners.
Suitable for both mass distribution and targeted work.
There is a recommended crypto service for my product.
All information is in the first post of the thread.
Update v3.1.1
- Added Google cookie restoration from browser tokens to the admin panel
- Updated support for Edge and Brave to the latest versions
- Added support for beta versions of Chrome and its build variants
Screenshot taken from XSS forum
StealC Stealer
Note: Remember the article from last week from CyberArk about exploiting an XSS vulnerability in the web panel of StealC? The user on XSS forum has addressed the issue.
About the recent news about the “hack” of the panel
News began to spread about the alleged hack of the stealc user panel. At first, we didn’t see the point in writing anything, but not everyone is attentive, and in order to prevent further spread of fake news, we are writing this message.
The news is completely irrelevant. The article refers to admin panel 2.4.4 (which was released back in May 2025 and was replaced by version 2.5 in June 2025). there was also a very controversial situation where access was gained not to the admin panel via xss, but to the server via ssh — subsequently, we encountered a couple more times that researchers are not particularly shy about using illegal tools for such performances).
We caught that hack in real time thanks to a user who wrote to us (admin panels are located on client servers, there is no common admin panel, etc.), which allowed us to release a fix.
We don’t know why the researchers took six months to do this; apparently, they had nothing to write about in January, so they remembered a case from mid-2025 in which they had success with one (there is a theory that they were able to get into three admin panels, but we didn’t find any traces of them at the time).
Also in December, we recorded attempts by two users to “break into” the admin panel using similar XSS attacks. Thanks to users who reported the attacks in real time, we observed attempts by the researcher to make the XSS work, but this time we didn’t let them off the hook and spammed their backend with some not-so-censored messages to accept cookies 🙂
As for the current version (2.11.0, released in January 2026), it does not have such vulnerabilities. In fact, the researchers responsible for this article were essentially testers, for which we are very grateful to them.
Apparently, the guys remembered the case from May 2025, tried to pull off a similar trick in December, and when they found out that it had been fixed six months ago, they published an article.
Screenshot from XSS forum
Stealc v2.12.0 update
Build:
- Updated implant for Google Chrome, added full support for Google Chrome v144+ versions
Admin panel:
- Security improvements for logging to the Logs page
- Many minor code changes
Screenshot from XSS forum
Xillen Stealer
Update 5.2.2b: Defender protection + password-protected ZIP files
What’s new:
- Windows Defender cleanup:
Improved build stealth for current signatures.
Direct Defender detection significantly reduced. - Automatic password-protected packaging:
All builds are now packaged in a password-protected ZIP archive to bypass antivirus software and ensure safe downloading.
Password = Your build name (e.g., MyBuild.zip -> password MyBuild).
Reminder:
Detection cleaning is performed every Friday. If Defender or another AV (CrowdStrike, etc.) detects a build, write to support immediately and specify:
- Windows version
- What exactly is detected (Defender / etc.)
- Context of detection
We clean Defender immediately. Don’t forget to use external cryptors for maximum stealth.
Screenshot taken from XSS forum
The Void Stealer
Update 1.2!
Software cleanup
Significant software performance improvements. Thanks to multithreading, we’ve significantly increased data collection speed on machines.
Screenshot from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, the victim numbers in the countries of the Nordic region. In addition, see the CryptPad spreadsheet for more meaningless numbers.
Marketplace Updates Spreadsheet 2026
The below spreadsheet contains meaningless numbers taken in 2025:
Marketplace Updates Spreadsheet 2025
Russian Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 7,011,391 |
| Vidar | 971,613 |
| Acreed | 841,772 |
| StealC | 806,320 |
| Rhadamanthys | 542,732 |
| RedLine | 192,107 |
| RisePro | 145,523 |
| Raccoon | 5,074 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,218,232 |
| Brazil | 755,362 |
| Indonesia | 572,636 |
| Egypt | 491,299 |
| Pakistan | 418,567 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 23,469 |
| Denmark | 12,863 |
| Norway | 10,560 |
| Finland | 8,653 |
| Iceland | 1,151 |
| Greenland | 158 |
| Faroe | 111 |
| Åland | 24 |
Exodus Market
The marketplace was down, therefore no updates from the ExodusMarket.
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| StealC | – |
| Vidar | – |
| Lumma | – |
| Rhadamanthys | – |
| RedLine | – |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | – |
| Brazil | – |
| Turkey | – |
| USA | – |
| Bangladesh | – |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | – |
| Denmark | – |
| Norway | – |
| Finland | – |
| Iceland | – |
Articles/News
SOLYXIMMORTAL: Python Malware Analysis
- https://www.cyfirma.com/research/solyximmortal-python-malware-analysis/
- https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html
MacSync Stealer Returns: SEO Poisoning and Fake GitHub Repositories Target macOS Users
- https://daylight.ai/blog/macsync-stealer-returns-seo-poisoning
Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware
- https://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets-emeditor-users.html
Don’t Judge a PNG by Its Header: PURELOGS Infostealer Analysis
- https://www.swisspost-cybersecurity.ch/news/purelogs-infostealer-analysis-dont-judge-a-png-by-its-header