A brief look at all things infostealers for the week 8, 2026 (23.02.2026 01.03.2026). Updates in The Void, Xillen, Weapon and Santa stealers. Grabbed some numbers from the Russian Market (seems that Exodus Market is no more) and an article for you to read.
Infostealer Updates
Storm Stealer
Made a separate post about the Storm Stealer, a new infostealer on the market.
The Void Stealer
Mini Update
- Complete replacement of proxy servers for better feedback
- A small, handy program has been created for more convenient installation of Private Proxy servers for clients (Enter ssh and domain, and the proxy server will install itself without the need for terminal work)
Screenshot taken from XSS forum
Xillen Stealer
XILLEN STEALER V5.2.3 — full update. We’re releasing it a little early. HVNC tomorrow or the day after tomorrow.
BUILD:
Chrome 144+ — server-side decryption, two branches per version, everything in memory
├ Gecko — decryption rewritten, +28 browsers added to the build
├ Private morpher 65–70% uniqueness (ssdeep)
├ Size optimized, compatible with packers
├ No plaintext in binary, strings only in runtime
├ Per-build AES traffic
├ Protection: Sleep-hook, VM-detect, blacklist DLL, breakpoint
├ AntiVM — CAPTCHA in sandbox
├ C2 Resolver when domain is banned
├ Google/MS tokens + OAuth2, only live in reports
└ Cleaning binary from detects
PANEL:
Pump — pumping .exe 1–50 MB
├ Smart Loader [BETA] — your URL, payload in the build
├ Dynamic Config without recompilation, Anti-CIS always on
├ Empties: deletion, filter, flag on the build
├ Workers from the configurator, isolation by builds, invites
├ API and invites (Team) from the panel and bot
├ Telegram: formats and templates, ZIP summaries, Team bot survives restart
└ 8 filter presets, API docs in RU/EN
RATES:
BASIC ($350/month)
All collection modules: passwords, cookies, wallets (600+), Google/MS tokens, Telegram, Steam/Epic/Battle.net, VPN, file grabber
├ Crypto Clipper (BTC/ETH/SOL/TON/TRX/XMR + seed)
├ Wallet Bruteforce (from victim logs + Top-150)
├ Smart Loader [BETA] — bake payload into build with your URL
├ Dynamic config — all parameters without recompilation, custom modules
├ File pumping (Pump) — increase .exe to the desired size (1–50 MB)
├ Filters for empties — do not accept / delete / do not upload empty logs
├ 1 log dump per week
├ Up to 3 Telegram bots per build (HTML/TXT/ZIP/JSON formats, templates)
├ Up to 3 builds (configuration templates)
└ Anti-CIS geoblock (always active, cannot be disabled)
PRO ($450/month)
Everything from Basic
├ HVNC — remote desktop without the victim’s knowledge
├ 3 log dumps per week
├ Up to 5 Telegram bots per build
├ Up to 5 builds (configuration templates)
├ Up to 5 Worker links for workers
├ Advanced filters: search by IP and ranges, applications, wallets, tags, builds
├ Quick date buttons (24h / 7d / 30d)
├ Hide empty / duplicates / downloaded
└ Disable log reception on a specific build
TEAM ($750/month)
Everything from PRO
├ Unlimited log dumps
├ Up to 10 Telegram bots per build
├ Up to 10 workers — data isolation by build, your own login pages via invite codes
├ TG bot command management interface — logs, statistics, builds, workers, invites directly from Telegram (inline buttons, everything in 2 clicks)
├ API access — integration with your tools (keys from the panel, documentation /pages/api-docs)
├ Up to 10 invite codes for workers
├ RBAC roles: admin, worker, traffer, checker — flexible separation of rights
└ Priority support
Next up: HVNC, then a new panel design, a couple more minor parts — we’ll release an update in the coming days.
Screenshot taken from XSS forum
Weapon Stealer
- The panel has been rewritten from scratch.
- The stealer has been rewritten from scratch, with support added for the latest versions of Chrome.
- New socks, with almost no impact on speed.
- Dynamic profiles, http polling by default.
- Tasks have been redesigned, with filters added by domain.
- New builder, local/remote install options for msi, as well as compilation into a ps1 file.
Screenshot taken from XSS forum
Santa Stealer
SantaStealer Update! 🎅
• 11 New Features · 14 Improvements · 5 Bug Fixes – (Only notable updates included)
——— NEW FEATURES ———
1.1 – Added option to save multiple Telegram bot tokens. Logs can now be sent through multiple Telegram bot’s based on the trafficTag/watermark.
1.2 – Added option to ‘notifications’ tab allowing you to customize log file name. (Supports {hwid}, {country}, {ip}, {watermark}, {time}, {cookies}, {passwords}, {wallet_count})
1.3 – Added option to favorite/unfavorite selected log’s
1.4 – Added {steamid} value to ‘log details message’ available values. Outputs list of all ‘SteamID64’ values from log
1.5 – Added Electrum, Atomic Wallet & Powershell(history) directories to default configuration
1.6 – Added option to make SantaStealer generate a WARP account if the machine cannot connect to the C2. Sends data over generated proxy instead of directly. Increases knock rate if domain is blocked, USE WITH CAUTION!
1.7 – Module ‘tdata’ now takes tdata from Kotatogram. Increased search depth and search aggression for portable Telegram installs.
1.8 – Module ‘History’ now takes Local Storage and Session Storage. Filters irrelevant values.
1.9 – Removed ‘Opera Wallet” & “Authenticator” from extension wallet ID list
2.1 – Option to select the fields to include in log CSV export
2.2 – Updated ABE cookie decryption to support Chromium’s new V24 database schema for Chrome and Edge version 145
——— IMRPVEMENTS ———
2.3 – Refresh button on ‘logs’ tab is now visible without needing filters displayed.
2.4 – Module ‘Watermark’ no longer uses default watermark when disabled.
2.5 – Module ‘Software’ no longer appends “- <num>’ to end of Software.txt and Processes.txt
2.6 – Build config JSON file no longer has default values when no value was set when exported.
2.7 – Clipper module configuration from previous build now automatically loaded.
2.8 – Improved cookie format, fixed issue with google cookies being blocked. Cookies now use WebKit expiries instead of UNIX.
2.9 – Application data now saved to ‘/Applications’ instead of ‘/Important Files’. Documents now saved to ‘/FileGrabber/<EXTENSION>/’ instead of ‘/Documents’ & ‘/Crypto Files’
3.1 – General QOL & design improvements to Notifications, Traffic, Features, Shop & Updates tabs.
3.2 – Remake of Features tab, now contains full description of every module, cleaner file tree.
3.3 – Bulk log download now packs all files into a single .ZIP instead of downloading each file singularly
3.4 – Updated {passwords} & {cookies} values to show the real count instead of the number of lines in Brute.txt/Domains.txt
3.5 – /Logs tab path now supports parameters, easier to automate.
3.6 – Added all missing Browser, Application & Wallet icons shown at logs tab.
3.7 – Options on the ‘notifications’ tab now automatically save
——— FIXES ———
4.1 – Fixed issue with files taken by ‘notes’ module having gibberish file names when containing non standard characters
4.2 – Fixed an issue with clipper reducing knock when some DLL’s where missing from target machine
4.3 – Fixed issue with ‘System’ module causing crashes on machines with large monitors
4.4 – Fixed issue with file waiting for fake error to be dismissed before continuing.
4.5 – Fixed issue with ‘Applications’ & ‘Extensions” module skipping files when locked.
Screenshot taken from Santa Stealer’s Telegram channel
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, the victim numbers in the countries of the Nordic region. In addition, see the CryptPad spreadsheet for more meaningless numbers.
Marketplace Updates Spreadsheet 2026
The below spreadsheet contains meaningless numbers taken in 2025:
Marketplace Updates Spreadsheet 2025
Russian Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 7,009,106 |
| Vidar | 1,094,977 |
| Acreed | 974,129 |
| StealC | 809,017 |
| Rhadamanthys | 604,288 |
| RedLine | 192,083 |
| RisePro | 145,513 |
| Raccoon | 5,058 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,259,230 |
| Brazil | 775,671 |
| Indonesia | 592,095 |
| Egypt | 497,641 |
| Pakistan | 429,921 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 24,396 |
| Denmark | 13,365 |
| Norway | 10,986 |
| Finland | 9,264 |
| Iceland | 1,193 |
| Greenland | 167 |
| Faroe | 112 |
| Åland | 24 |
Articles/News
Understanding the DarkCloud Infostealer
- https://flashpoint.io/blog/understanding-darkcloud-infostealer/