XSS failure in StealC exposes cookies and sessions and unmasks the mysterious YouTubeTA

A security failure on the web panel used by the information-stealer operators known as StealC has allowed cyber security researchers to collect valuable information about one of the actors that uses that malware. Thanks to a cross-site scribing (XSS) vulnerability in the management interface, experts managed to get system prints, monitor active sessions and even exfilter cookies from the infrastructure itself to steal them.

StealC is an information thief who appeared in early 2023 and has been marketed under a malware model as a service (MaaS), which makes it easier for third parties without great technical knowledge to use it for mass campaigns. Among its distribution vectors has highlighted the use of YouTube to promote supposedly "cracketed" files of popular software - a mechanism that some researchers have called the YouTube Ghost Network- although it has also been seen spreading through malicious files that supplanted legitimate resources or with social engineering techniques such as FileFix-type lures.

With the passage of time StealC incorporated new features: integration with Telegram bots for notifications, improvements in payloads delivery and a renewal of its administration panel, version that came to be called StealC V2. Weeks later, the source code of the panel was publicly filtered, which offered the analysing community the opportunity to study how infrastructure operates and to extract indicators present in operators' systems, including hardware data, geographical tracks and session cookies.

The specific technical details of XSS vulnerability have not been made public to prevent developers from closing the hole immediately or to prevent other malicious actors from reusing the filtered panel to create their own malware services. However, it should be remembered that XSS vulnerabilities consist of customer-side injections that allow you to run malicious JavaScript code in the victim's browser when a vulnerable page processes entries without validating or encoding them correctly. If you want to read a technical and practical explanation about XSS, Mozilla's documentation is a good starting point: MDN Web Docs on XSS and for an accessible overview of this type of attack, the Fortinet glossary may be useful: Fortinet - Cross-Site Scripting.

One of the ironies highlighted by researchers is that, being the theft of cookies the central business of StealC, it could be expected that its operators would apply basic protections for session cookies - for example the flag HttpOnly to make it difficult for XSS to steal. The absence of such elementary measures made it easier for specialists to extract cookies from the committed panel itself; to understand what the HttpOnly flag provides you can see this practical guide: BrowserStack on HttpOnly.

The analysis work also made it possible to profile a StealC client identified by researchers as "YouTubeTA" (by YouTube Threat Actor). This actor would have intensively used the video platform to spread fraudulent installers promising cracks of applications such as Adobe Photoshop and After Effects. According to the data collected, their campaigns resulted in thousands of records that together contained hundreds of thousands of credentials and tens of millions of cookies. Although most of these cookies seem to correspond to tracking mechanisms or other low-sensitivity cookies, the amount and variety of stolen data provided real YouTube account taking cases, which in turn were used to amplify the distribution of the malware itself in a vicious circle.

Researchers also documented signs of use of false CAPTCHA-type lures and other methods of deception similar to ClickFix to attract victims, indicating that the dissemination of StealC is not limited to links in video descriptions alone. The panel observed the ability to create multiple users with different roles, and in the specific case of YouTubeTA only one administrator appeared. The analysis of the technical environment associated with that administrator pointed to a machine with Apple M3 processor and language configurations in English and Russian.

In a security operation neglect, the actor did not connect his session to the panel through a VPN during a period in July 2025, which revealed a real IP address linked to a Ukrainian supplier known as TRK Cable TV. This flight allowed analysts to geographically place the operator: it is probably a lone actor operating from a region of Eastern Europe with frequent use of Russian.

Beyond the particular details of this case, the findings offer a strategic lesson about the MaaS ecosystem: on the one hand, it makes it easier for actors with few resources to launch large-scale operations quickly; on the other, if the developers of that malware neglect good safety practices in their own tools, they end up exposing themselves to the same risks they cause to other victims. In summary of this point, the authors of the report point out that the weaknesses in cookies protection and the quality of the panel code allowed for a significant amount of information on StealC's clients, a path that researchers and authorities could use to identify other malicious operators.

For users and companies, the morale is double: first, suspect downloads that promise "cracking" software and prioritize official sources; second, protect accounts with measures such as multifactor authentication and regularly review active sessions and authorized devices. For cyber security professionals and law enforcement, the case shows that analyzing malicious filtered infrastructures can reveal both operational data and human errors that help map a threat.

If you want to go into the technical report that led to these conclusions, you can read the analysis published by CyberArk: CyberArk - One Reverse Card, and for more context on the autopsy of version 2 of the panel, the Lumma Labs split is enlightening: Lumma Labs - Autopsy of a failed stealer. Filtered code and samples are also accessible in malware analysis repositories like Abuse.ch which can be useful for researchers.

In short, the incident with StealC illustrates how the same infrastructure designed to loot data can become a source of information for the defenses when their perpetrators make security errors. And remember: behind many large-scale attacks there are often human and design failures that, properly exploited by the security community, can help mitigate future campaigns.