Arkanix Stealer shows that IA can democratize malware

In late 2025 a new malware project aimed at stealing information that drew the attention of researchers: Arkanix Stealer emerged in dark-side forums. In appearance it was a product designed for customers: it offered a control panel, communication through a Discord server and a two-level price structure - a basic option written in Python and a native "premium" version in C + + protected with VMProtect - but only lasted a couple of months before its author disable everything without notice. That short life and the prints found by analysts point to more than just a traditional criminal campaign: it is very likely that Arkanix was, at least in part, the result of a development experiment assisted by language models. The finding highlights how IA tools are accelerating and slowing down the creation of malicious code.

The technical analysis carried out by Kaspersky researchers provides the most complete information base on Arkanix. In their report they detail both the capabilities of malware and the tracks that suggest the intervention of large language models in the generation of code, documentation and project artifacts. You can consult this analysis directly in Kaspersky's public report to review the commitment indicators and technical description: Kaspersky - Arkanix Stealer.

As for its functions, Arkanix incorporated a set of typical capabilities in modern "info-stealers": system information collection, removal of credentials and data stored in browsers - including history, self-completed, cookies and passwords - and theft of wallets or cryptographic extensions in dozens of browsers. Researchers also point to the ability to capture OAuth2 tokens in Chromium-based browsers, a technique that facilitates persistent access to accounts without the need for traditional passwords. In addition, the Trojan attacked known VPN service credentials, could compress and exfiltrate system files and had downloadable modules from its command and control server: from Chrome recorders and wallets like Exodus to tools for taking screenshots, virtual remote access (HVNC) and robbers for customers like FileZilla or Steam.

The premium version added more advanced features: RDP credentials theft, anti-sandbox and anti-debugging checks, WinAPI screen capture and the ability to target games platforms and authentication services such as Epic Games, Battle.net, Riot, Unreal Engine, Ubisoft Connect and GOG. It also included a post-exploitation tool called ChromeElevator, designed to inject into suspended browser processes with the intention of avoiding protections such as Google's App-Bound Encryption (EBA) and thus access credentials in an unauthorized way. The protection with VMProtect sought to complicate static analysis and delay detection by safety products.

Beyond technical capabilities, the project behaved as a commercial product: there was a dashboard with affiliate options and retributions for reference - an incentive to accelerate distribution - and the Discord server served as a space for community updates, support and feedback. But that public ecosystem also ended abruptly: the author removed the panel and closed the channel without communications, suggesting that the initiative was intentionally ephemeral. According to the researchers themselves, this complicates the work of detection and monitoring, because developers can launch, monetize and disappear quickly, leaving little traceability.

One of the most worrying findings of the study is the possibility that Arkanix's development would be based on language models to accelerate programming, code generation and documentation development. Analysts identified patterns and traces in the code and in the artifacts that match LLM-assisted processes, which, in their evaluation, may have significantly reduced the time and cost of creation. If criminals successfully incorporate the IA to automate parts of the development cycle, we are facing a potential malware democratization: actors with lower technical skills could mount sophisticated tools for quick profits.

This phenomenon is not limited to Arkanix. The security community has long warned about the dual use of artificial intelligence tools and how the availability of programming assistants can transform the threat. The frameworks and recommendations for managing IA risks, such as the work of national and international agencies on IA governance, become more important when identifying offensive applications in the field of cybersecurity. In this regard, coordinated approaches that integrate technical standards, security practices and collaboration between the private sector and the authorities are essential; organizations such as NIST have published resources to guide the responsible development of IA: NIST - AI resources.

For defenders and common users, lessons are practical and urgent. Maintain up-to-date software and browsers, activate multifactor authentication whenever possible, use password managers instead of storing credentials in flat text or browser forms and review access to tokens and active sessions are measures that reduce the opportunity window for actors who take advantage of compromised credentials. On the business side, monitoring of abnormal activity in endpoints, segmentation of networks and strict policies on the use of APIs and automations (especially where tokens are managed with high permits) help to mitigate the impact of this type of tool.

Finally, Arkanix illustrates two interrelated trends: on the one hand, the professionalization and marketing of criminal software - which has long adopted business models like "as- a- service" - and on the other, the arrival of the IA as a capacity multiplier for developers and criminals alike. Technical reports such as the one published by Kaspersky not only document the specific threat, but provide compromise indicators (hashes, domains and IP addresses) that allow response equipment and security tools to identify and block variants. Security officials should use these resources to strengthen internal detectors and rules; the Kaspersky report is a good starting point for those who need technical details: Kaspersky - Arkanix report.

If there is an idea that is clear after the Arkanix episode is that the speed and ease with which harmful tools can be developed will be determining factors in the global risk. The security community, technology providers and public institutions should not only improve technical defences, but also work on policies and practices to reduce the abuse of technologies for general use. Meanwhile, users and administrators must assume that the threat evolves and apply basic prevention measures with record: digital hygiene and good practice are still the most effective barriers to this type of malware.