A newly uncovered infostealer, suspected to be built with the help of a large language model, is targeting victims with Python and C++ variants, each tailored for a different stage of data theft. Kaspersky researchers discovered a stealer dubbed “Arkanix,” which is capable of harvesting credentials, browser data, cryptocurrency, and banking assets from infected machines.
“It collects a vast amount of information, including highly sensitive personal data,” Kaspersky researchers said in a Securelist blog post. “While being quite functional, it contains probable traces of LLM-assisted development, which suggests that such assistance might have drastically reduced development time and costs.”
Arkanix operates a MaaS model, allowing malicious actors to buy access to the malware as well as a control panel featuring configurable payloads and statistics. Turning to AI assistance, researchers noted, signals that the attackers are after a one-shot campaign for quick financial gains rather than a long-running infection.
A heavily-marketed dual-language malware
One of the key aspects of Arkanix is its dual-language design, which allows its subscribers to target both Python and C++-based environments. The Python implementation is easier to modify and rapidly iterate, while the C++ build is more focused on performance, stealth, and stronger resistance to analysis.
After initial infection, which the researchers could not track and guessed with high confidence to be phishing, the Python loader comes from an actor-controlled endpoint, resulting in a configurable implant, with the default configurations predefined within the script file. Subscribers can modify the feature list on the control panel, as the Stealer can dynamically update features by making GET requests to Arkanix’s command and control (C2).
The native (C++) version of the stealer also uses a designated domain as C2, although some observed test samples collected used a Discord bot instead. Additionally, it includes extensive logging for debugging and implements analysis countermeasures such as ensuring that the application isn’t being run within a sandbox or under a debugger.
The disclosure noted heavy promotion of the Stealer in underground spaces, using extensive marketing materials, feature lists, and supporting infrastructure. While not unseen with MaaS models, such overt marketing of the malware aligns with the researchers’ understanding of the campaign being a one-off operation for a quick turnaround.
But some parts of the analysis suggest otherwise.
The stealer employs a broad data-theft toolkit
The researchers noted that the Python implementation acts as a wide-net data harvester. It collects system information, extracts browser-stored data, and pulls details from communication platforms, including Telegram and Discord. Additional modules target VPN configurations, retrieve selected files from the host, and can deliver other payloads, suggesting the Python build is designed to gather a comprehensive snapshot of a victim machine while enabling flexible follow-up actions.
By contrast, the C++ variant concentrates on assets that enable persistence, lateral movement, or monetization beyond simple credential theft. The researchers found capabilities related to remote desktop protocol (RDP) connections, the collection of gaming-related files, and screen capture functionality. It also includes a post-exploitation browser data extractor, “ChromElevator.”
While the Python version aligns with the researchers’ theory of a grab-and-run approach, the C++ version does hint at plans for persistence. The disclosure added a list of indicators of compromise (IOCs), including file hashes, IPs, and domains, to support detection efforts.
No Responses