Security researchers have identified OnyxC2, a new information stealer sold as a subscription service for $250 per month that targets more than 200 applications and employs DLL sideloading and payload encryption to evade endpoint detection products. The tool was identified and published by researchers on June 11, 2026.
OnyxC2’s Subscription Model and Application Coverage
OnyxC2 operates on a Malware-as-a-Service model, meaning criminal operators pay a monthly subscription to access the tool rather than purchasing or developing it outright. The $250 monthly price point places OnyxC2 in the professional tier of the information stealer market — comparable to established stealers such as RedLine, Raccoon, and Vidar that have powered large-scale credential theft operations. The pricing is high enough to signal operational quality while remaining accessible enough to attract operators without significant upfront capital investment.
What OnyxC2 Extracts From Targeted Systems
The stealer targets more than 200 applications across several categories: web browsers, cryptocurrency wallets, messaging clients, and credential stores. That breadth of coverage means OnyxC2 can extract credentials and session tokens from virtually every major tool a corporate user might have installed. Browser credential databases, saved passwords, autofill data, session cookies, and cryptocurrency wallet files are all within the tool’s documented scope. The 200-plus application count is a notable differentiator in the stealer market — many credential theft tools focus on a narrower set of high-value targets, whereas OnyxC2’s wide net increases the volume of actionable data any given operator can collect from a single infected endpoint.
DLL Sideloading and Encrypted Payloads as Evasion Mechanisms
OnyxC2 uses DLL sideloading to load its malicious code through a legitimate process, a technique that exploits the way Windows searches for and loads dynamic-link libraries. By hijacking that search process through a trusted application, the stealer can execute without triggering the behavioral signatures that endpoint detection products associate with standalone malware execution. Payload encryption provides an additional layer of evasion, obscuring the stealer’s contents from static analysis tools that scan files for known malicious patterns. DLL sideloading has remained effective against enterprise endpoint products despite being a well-documented technique, because defeating it requires monitoring legitimate application behavior in ways that create significant false-positive overhead.
Enterprise-Grade C2 Infrastructure Behind a Consumer Price Point
Researchers described OnyxC2’s command-and-control infrastructure as enterprise-grade in its operational sophistication — a notable characteristic for a tool at its price point. The C2 layer is what allows operators to receive stolen data from compromised systems, manage active infections, and configure targeting parameters remotely. Sophisticated C2 infrastructure reduces the risk of the service being disrupted by takedowns or domain blocking, and the level of investment it represents suggests the operators behind OnyxC2 built the service with longevity and resilience as design priorities rather than as a short-term offering.
OnyxC2’s Position in the Initial Access Broker Ecosystem
Information stealers are the primary mechanism feeding the initial access broker market, where stolen credentials are packaged and sold to other criminal actors — including ransomware groups seeking authenticated access to corporate networks. A single compromised endpoint running OnyxC2 can yield browser session tokens, VPN credentials, corporate application logins, and authentication cookies that collectively represent a ready-made initial access package. OnyxC2’s combination of broad application coverage, effective evasion, and accessible pricing makes it a capable harvesting tool that, deployed across many operators simultaneously, could contribute to a substantial volume of corporate credential theft entering criminal markets. The identity of the threat actor or group behind OnyxC2’s development and operation was not disclosed by the researchers who identified it.
Lowered Technical Barrier for Credential Theft Campaigns
The MaaS model is the defining characteristic of OnyxC2’s market position. By abstracting the technical complexity of stealer development, deployment, and operation behind a subscription interface, OnyxC2 allows operators with limited malware development capability to run credential theft campaigns with professional-grade tooling. The infrastructure, evasion techniques, application targeting logic, and C2 management are all handled by the service — the operator’s only operational requirement is successful deployment on a target system. The subscription model also means the service is continuously maintained and updated by its developers, keeping evasion capabilities current against evolving endpoint defenses without any effort from the subscribing operator.
