OnyxC2 Malware: New $250 Infostealer Targets 210+ Apps

Picture this. Somewhere in the world right now, someone with almost no technical background is sitting at their laptop. They don't know how to write code. They've never reverse-engineered anything. But in the next ten minutes, they're going to launch an attack capable of stealing passwords, bypassing two-factor authentication, draining crypto wallets, and quietly watching everything happening on a victim's screen.

How? They paid 250 dollars.

That's the world security researchers at BlackFog described when they published their findings on June 11, 2026, about a new piece of malware called OnyxC2. And honestly, once you understand how it works, it's hard not to feel a little uneasy about where cybercrime is heading.

So What Exactly is OnyxC2 malware?

OnyxC2 is what's called an infostealer. Its entire job is to quietly sit on a victim's computer and harvest anything valuable: saved passwords, browser cookies, autofill data, crypto wallet files, email credentials, and more. Nothing new there. Infostealers have been around for years.

What makes OnyxC2 different is how it's packaged and sold. It's not a tool a hacker builds for themselves. It's rented out as malware-as-a-service, often shortened to MaaS, the same way you'd subscribe to Netflix or a project management app. There's a web dashboard. There's a payload builder where you customize your malware with a few clicks. There's tiered pricing. There's even a refund policy if your malware gets flagged by antivirus software.

Let that sink in for a second. A piece of malware comes with a money-back guarantee.

Who Made It, and How Was It Found?

BlackFog's research team discovered OnyxC2 and got hands-on with live builds, running them through sandbox environments to see exactly what they do. The team obtained live builds, ran them in sandbox environments, and confirmed that the tool is actively reaching out to its infrastructure.

What they found was concerning on multiple levels, not just because of what the malware steals but because of how confidently it's being marketed and how well it avoids detection.

The Sheer Scale of What It Targets

If you want to understand why security teams are paying attention to this one, look at the numbers. OnyxC2 reaches 37. Chromium-based browsers and 8 Gecko-based browsers, plus 95 Chromium and 14 Gecko extensions, including 6 dedicated two-factor authentication tools.

Read that last part again. Six dedicated 2FA extensions. That's not an accident or an afterthought. That's a deliberate design choice, because attackers know that even if someone's password gets compromised, a properly set up 2FA system should still keep them locked out. OnyxC2 is built specifically to defeat that safety net.

And it doesn't stop at browsers. The stealer also covers 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, and 5 email clients.

Think about what that combination means in practice:

• Password managers hold the keys to someone's entire digital life in one place.

• Crypto wallets mean direct financial theft; no middleman is needed.

• FTP clients are often used by businesses, not just individuals, which means this isn't just a "personal device" problem.

• Email clients give attackers a foothold for business email compromise, where they can impersonate someone internally.

This is a tool built for both personal accounts and corporate systems. It doesn't pick a lane.

How Bad Can One Infection Actually Get?

Numbers and categories are one thing, but seeing what actually happened to a real infected machine hits differently. According to BlackFog's research, one infected machine shown in the panel had already surrendered 55 saved passwords, 4,717 cookies, 719 autofill entries, credit card data, and a crypto wallet, all from a single host.

That's not a typo. Over four thousand cookies from one machine. That kind of haul can unlock banking systems, business accounts, and cloud services in one shot.

Here's why cookies matter so much, and it's something a lot of people don't think about. Even if you change your password the moment you suspect something's wrong, stolen session cookies can sometimes let an attacker stay logged into your accounts as if nothing happened. The password reset doesn't always slam the door shut.

How OnyxC2 Stacks Up Against Other Big-Name Stealers

Why Antivirus Software isn't Catching It

This is probably the most unsettling part of the whole story. You'd hope that with all the antivirus and endpoint protection tools out there, something this dangerous would get caught quickly. But that's not what's happening.

Both delivery archives came back clean on their first VirusTotal upload, and the malicious component inside them was still unflagged when researchers last checked on May 30, 2026.

How does it pull this off? A few clever tricks are involved. The malware uses encrypted payloads that only decrypt when actually running, so static scans see nothing suspicious. It uses DLL sideloading, where a legitimate, digitally signed program is tricked into loading a malicious file sitting in the same folder. Since the signed program is trusted by Windows, the malicious file rides along on that trust.

There's also in-memory execution involved, meaning parts of the attack never even touch the disk in a way traditional antivirus tools are designed to inspect. Researchers say the OnyxC2 malware targets more than 200 applications and extensions while evading detection through encrypted payloads, DLL sideloading, and in-memory execution techniques.

And on top of all that, the build downloads themselves are encrypted with AES256, adding yet another layer that keeps prying eyes out.

How It Gets Onto Your Computer in the First Place

None of this matters if the malware can't actually reach a victim's machine. So how does it get delivered?

The package comes bundled with what researchers call "lure installers," files designed to look like something completely normal and even desirable. The package ships with ready-made lure installers: FinePrint, SystemSettings, a fake Windows update package, and Fling-Standalone for gaming audiences.

Imagine you're a gamer looking for a free tool or crack. You download what looks like a legitimate program called Fling-Standalone. You run it. Everything seems fine; maybe it even works as expected. Meanwhile, in the background, a malicious DLL has quietly loaded itself using that trusted, signed application as cover, and your data is already on its way out.

This is why phishing-resistant habits and real endpoint security matter so much. If you're interested in how organizations test their defenses against exactly these kinds of social engineering and delivery tricks, penetration testing is designed to simulate these scenarios before a real attacker does.

The Pricing Structure (Yes, Really)

Let's talk about how this thing is actually sold, because it genuinely reads like a SaaS pricing page.

The developers offer several options: normal at $250 per month and premium, which includes HVNC, at $500 per month. And if someone wants to go all in, there's a $6,000 option for an outright source code purchase that comes with an installation guide and optional setup support for buyers who don't know what they're doing.

That last bit is wild when you really think about it. Setup support for buyers who don't know what they're doing. This is customer service for malware.

And here's the part that should genuinely concern defenders: the rental price for OnyxC2 sits at the higher end of stealer costs, primarily justified by its stealth and reach, and the developers are confident enough in their evasion capabilities to offer refunds if a build gets detected. As the researchers put it, that's not bravado; it's a service guarantee backed by actual technical work.

When the people selling malware are confident enough to back it with a guarantee, that tells you the bar for "good enough to slip past defenses" has moved.

What's Sitting Behind the Scenes in the Control Panel

Beyond what gets advertised, the actual admin panel reveals even more about how seriously this thing was built. The developer markets OnyxC2 as a complete product, with a Bots page, a Logs page, a Builder, a Users page with roles, and a Settings page offering cloud storage and AES-256 build encryption. It is software sold and supported like a commercial product.

On top of credential theft, the malware's capability list goes well beyond just grabbing saved passwords. The stealer's capabilities extend beyond credential harvesting, incorporating features like HVNC, LSASS memory dumping, and a reverse SOCKS5 proxy.

For anyone unfamiliar, HVNC essentially lets an attacker remotely control a victim's machine while staying hidden from the person actually using it. LSASS memory dumping is a technique for pulling credentials directly out of Windows' memory. A reverse proxy gives attackers a way to route their traffic through the victim's own connection, making it look like the activity is coming from a trusted location.

Put together, this isn't just "steal and run" malware. It's built for sustained access.

Why This Matters Even If You're "Just a Regular Person"

It's easy to read all this and think it's only a problem for big companies or IT departments. But the reality is that infostealers like this fuel a much bigger ecosystem of harm. Stolen credentials get sold, bundled, and reused across the dark web for things like account takeovers, SIM swapping, and targeted phishing campaigns built using the personal details that got scooped up along the way.

If your credentials ever end up in one of these dumps, you usually won't find out from the company that got breached. You'll find out when something strange happens to your account, or not at all, until it's too late. This is exactly the gap that dark web monitoring services are designed to close by catching exposed credentials before attackers get a chance to use them.

What Organizations Can Actually Do About This

Given how easily OnyxC2 slips past traditional antivirus, the conversation needs to shift from "Did our antivirus catch it?" to "What happens if it doesn't?"

A few things genuinely make a difference:

• Rethink what "detection" means. If a threat can stay invisible during its first scan, relying solely on signature-based antivirus is no longer enough. Modern endpoint security protection needs to watch behavior, not just match known malware fingerprints.

• Make 2FA bypass harder, not just present. Since OnyxC2 specifically targets 2FA browser extensions, organizations should be moving toward phishing-resistant methods like hardware security keys rather than relying entirely on extension-based codes.

• Treat outbound data movement as a red flag. A huge part of what makes infostealers dangerous is the exfiltration step, the moment stolen data actually leaves the network. Watching for unusual outbound connections can catch an infection even after it's already running.

• Get visibility into your actual exposed attack surface. Many organizations genuinely don't know how many of their employees' credentials, browser extensions, or third-party tools are exposed until something goes wrong. Attack surface management helps map out these blind spots before attackers find them first.

• Have a plan for when, not if. Given how widespread infostealer activity has become, building out a clear incident response and recovery plan means the difference between a contained event and a full-blown breach.

• Run real-world tests against your own defenses. The lure installers, OnyxC², rely on work because people trust familiar-looking files. Regular red teaming exercises simulate exactly these scenarios, showing where employees and systems are most vulnerable to this kind of social engineering.

• Don't forget email as an entry and exit point. With email clients on OnyxC2's target list and business email compromise being a common follow-up to credential theft, strong email security and anti-phishing measures remain one of the most cost-effective defenses available.

Mapping OnyxC2 to MITRE ATT&CK

For security teams who think in terms of frameworks, here's how OnyxC2's behavior lines up with known MITRE ATT&CK techniques:

If your organization needs help understanding how techniques like these might play out in your specific environment, AI-driven automated red teaming or a more traditional red teaming engagement can simulate exactly this kind of attack chain safely.

The Bigger Picture

What's really happening here isn't just "a new malware was found." It's a signal about where cybercrime is heading as a whole. When sophisticated, evasive attack tools get packaged with refund policies, customer support, and tiered pricing plans, the barrier to entry for cybercrime drops dramatically. Someone doesn't need to understand how DLL sideloading works or how to encrypt a payload. They just need 250 dollars and a target in mind.

That shift matters for everyone, not just security teams. It means the volume of attacks is likely to keep climbing, because the people launching them no longer need to be experts. And for defenders, it means the old assumption of "our antivirus will catch it" needs to be retired for good.

The honest takeaway here isn't to panic. It's to recognize that defense in 2026 has to assume that something will eventually slip past the first line of protection and build accordingly with layered security, credential monitoring, and a genuine plan for what happens after.

Official Reference

This content is based on threat research published by BlackFog. For the original technical report on OnyxC2, refer to BlackFog's official blog at (look for the report covering OnyxC2, published June 11, 2026).