Arkanix Stealer pops up as short-lived AI info-stealer experiment

Source: Bleeping Computer

Introduction

An information‑stealing malware operation named Arkanix Stealer, promoted on multiple dark‑web forums toward the end of 2025, was likely developed as an AI‑assisted experiment. The project included a control panel and a Discord server for communication with users, but the author took them down without notification just two months after the operation began.

Arkanix offered many of the standard data‑stealing features that cybercriminals are used to, along with a modular architecture and anti‑analysis features.

Kaspersky researchers analyzed the Arkanix stealer and found clues indicating LLM‑assisted development, which “might have drastically reduced development time and costs.”

Signs of LLM traces in coding – Source: Kaspersky

The researchers believe that Arkanix was a short‑lived project for quick financial gains, which makes detection and tracking much more difficult.

Arkanix appears online

Arkanix started being promoted on hacker forums in October 2025, offering two tiers to potential customers:

• Basic – a Python‑based implementation.
• Premium – a native C++ payload protected with VMProtect, integrating AV evasion and wallet injection features.

Arkanix promoted on hacker forums – Source: Kaspersky

The developer set up a Discord server that acted as a community hub for updates, feature feedback, and support. A referral program was also established, granting referrers an extra free hour of premium access while new customers received one week of free premium access.

Referral options from within the dashboard – Source: Kaspersky

Data‑stealing capabilities

Arkanix can collect system information and steal data stored in browsers (history, autofill info, cookies, passwords) as well as cryptocurrency wallet data from 22 browsers. Kaspersky researchers note that it can also extract OAuth2 tokens on Chromium‑based browsers.

Additional capabilities include:

• Stealing data from Telegram and Discord, spreading via the Discord API, and sending messages to victims’ friends/channels.
• Targeting credentials for Mullvad, NordVPN, ExpressVPN, and ProtonVPN.
• Archiving files from the local filesystem for asynchronous exfiltration.
• Downloadable modules from the C2 server, such as a Chrome grabber, a wallet patcher for Exodus or Atomic, a screenshot tool, HVNC, and stealers for FileZilla and Steam.

Partial list of targeted crypto extensions – Source: Kaspersky

Premium native C++ version

The premium native C++ version adds:

• RDP credential theft, anti‑sandbox and anti‑debugging checks, WinAPI‑powered screen capturing.
• Targeting of Epic Games, Battle.net, Riot, Unreal Engine, Ubisoft Connect, and GOG.
• Delivery of the ChromElevator post‑exploitation tool, which injects into suspended browser processes to bypass Google’s App‑Bound Encryption (ABE) and steal user credentials.

The purpose of the Arkanix stealer experiment remains unclear; it may have been an attempt to evaluate how LLM assistance can accelerate malware development and feature delivery. Kaspersky assesses that Arkanix is “more of a public software product than a shady stealer.”

The researchers provide a comprehensive list of indicators of compromise (IoCs), including file hashes, domains, and IP addresses.