Kinda Blog by CryptoLek 🍉 🌻

All things infostealers. Week 7, 2026

A brief look at all things infostealers for the week 7, 2026 (09.02.2026 –15.02.2026). Updates in Bluefox, Aura and StealC stealers. Grabbed some numbers from marketplaces and few interesting news/articles for you to read.

Infostealer Updates

BLUEFOX Stealer

Update v3.1.3

  1. Added Telegram notifications for new logs, support for multiple bots and chats, customizable HTML message templates, and support for splitting into builds/tags.
  2. Cleaned up the build and morpher, removed Avast/AVG detection in runtime.

Screenshot taken from XSS forum

AURA Stealer

Dear friends!
The moment we’ve all been waiting for has finally arrived!
We are happy to announce that we are introducing the x64 version of the build! 🎉

We are switching to x64 for several important reasons:

  • Many cryptos are moving away from x86 support. Some don’t have it at all, while others have very mediocre support that doesn’t provide stable results like x64 does.
  • x86 code is further away from the system and easier to detect due to the WoW64 layer. With x64, there is more freedom to bypass security systems.

What has changed?
Data collection algorithms have been improved, and changes have also been made to low-level implementations.
For example, bypasses and obfuscation methods required in WoW64, such as Heavens Gate, are no longer needed and have been replaced with Nativex64 implementations.
The code works closer to the system where necessary, with calls going directly to the kernel, bypassing system libraries.
But that’s not all. There are big plans ahead for the development of this branch of builds and the introduction of new technologies to achieve the best results.

Tests were conducted with the EuroTeam service, which yielded positive results. The build is well encrypted, works without failures, and is not detected.
Scan – https[://] kleenscan[.]com/scan_result/61433bd2c4cb02658beb7561eaec23db01900fb37d08c8608bb2c22526c5845e

In honor of this event, we are announcing a week of discounts until February 20, 2026 inclusive!
10% discount on all our tariffs and 10% on the encryption of our files at EuroTeam!
Don’t miss your chance to purchase and encrypt Aura at a great price!

Screenshot taken from XSS forum

StealC Stealer

Stealc v2.20.0 update

!To install this update, you need to reinstall the admin panel!

Due to the increasing number of cases of exploitation of various fairly complex XSS vulnerabilities, we have redesigned the functionality of receiving logs on the server, as well as everything related to the display of data from logs.

Unfortunately, open source code simplifies auditing, but also lowers the threshold for finding vulnerabilities, so the risk of detection and exploitation of flaws cannot be completely eliminated.

Gate:

  • Improved request processing security, stricter rules for requests.

Admin panel:

  • Strict CSP (Content Security Policy) implemented for reliable protection against XSS.
  • Authorization reworked.
  • Authorization verification code in the admin panel reworked.
  • Added the ability to edit markers in the admin panel.
  • The with mnemonic parameter in log search now searches by log content rather than log status (previously, it might not find a log with a seed phrase if the checker managed to analyze the log before the final upload; the log was given the status upload, and the mnemonic status was removed).
  • The MetaMask checker has been redesigned for greater security and speed.

Build:

  • Updated implant for Microsoft Edge and Brave, added full support for IElevator2 (similar to the latest Google Chrome updates)
  • Outlook build returned and reworked
  • FoxMail build added
  • FileZilla build added
  • WinSCP build added

Database:

  • Removed legacy tables that are no longer used in the code

Screenshot from XSS forum

Marketplace Updates

This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, the victim numbers in the countries of the Nordic region. In addition, see the CryptPad spreadsheet for more meaningless numbers.

Marketplace Updates Spreadsheet 2026

The below spreadsheet contains meaningless numbers taken in 2025:

Marketplace Updates Spreadsheet 2025

Russian Market

Stealers by number of victims
Stealer nameNumber of victims
Lumma7,010,215
Vidar1,047,451
Acreed925,133
StealC806,733
Rhadamanthys578,376
RedLine192,096
RisePro145,521
Raccoon5,065
Top 5 countries by number of victims
CountryNumber of victims
India1,242,177
Brazil768,446
Indonesia585,666
Egypt495,112
Pakistan425,209
Nordic region countries
CountryNumber of victims
Sweden24,025
Denmark13,160
Norway10,799
Finland8,906
Iceland1,172
Greenland161
Faroe112
Åland24

Exodus Market

The marketplace was down, therefore no updates from the ExodusMarket.

Stealers by number of victims
Stealer nameNumber of victims
StealC
Vidar
Lumma
Rhadamanthys
RedLine
Top 5 countries by number of victims
CountryNumber of victims
India
Brazil
Turkey
USA
Bangladesh
Nordic region countries
CountryNumber of victims
Sweden
Denmark
Norway
Finland
Iceland

Articles/News

Tech impersonators: ClickFix and MacOS infostealers

  • https://securitylabs.datadoghq.com/articles/tech-impersonators-clickfix-and-macos-infostealers/

How ClickFix Opens the Door to Stealthy StealC Information Stealer

  • https://www.levelblue.com/blogs/spiderlabs-blog/how-clickfix-opens-the-door-to-stealthy-stealc-information-stealer

Claude LLM artifacts abused to push Mac infostealers in ClickFix attack

  • https://www.bleepingcomputer.com/news/security/claude-llm-artifacts-abused-to-push-mac-infostealers-in-clickfix-attack/

LummaStealer Is Getting a Second Life Alongside CastleLoader

  • https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader

Tracking DigitStealer: How Operator Patterns Exposed C2 Infrastructure

  • https://cyberandramen.net/2026/02/16/tracking-digitstealer-how-operator-patterns-exposed-c2-infrastructure/

CryptoLek

, , , , , , ,