A new and dangerous credential-stealing tool called OnyxC2 has emerged in the cybercrime underground, showing just how easy it has become for even low-skilled attackers to run a professional hacking operation. Sold as a complete package for $250 a month, the malware gives buyers everything they need to quietly drain login data from victims worldwide. What makes it stand out is the scale of what it targets: over 210 applications and browser extensions in one sweep.
OnyxC2 is marketed like legitimate commercial software, complete with a web panel, a payload builder, tiered pricing, and refunds if a build gets flagged. For a monthly fee, buyers get a kit that steals browser credentials, password manager data, two-factor authentication codes, and crypto wallet information. The stolen data is shipped back through an encrypted channel, making it harder for security tools to catch in transit.
Analysts at Blackfog identified the malware and published their findings in a report shared with Cyber Security News (CSN), revealing the full scope of what OnyxC2 can do and how it evades detection. The research team obtained live builds, ran them in sandbox environments, and confirmed that the tool is actively reaching live command-and-control infrastructure.
The malware is written in C++, using assembly code to bypass security rules at the system level. Each build is mutated before delivery to break antivirus signature detection, and the developer claims a 99% evasion rate. Blackfog’s tests confirmed this: both sample builds submitted to VirusTotal came back clean on first upload, with the malicious component still undetected as of May 30, 2026.
The damage potential is very real. One infected machine shown in the panel had already surrendered 55 saved passwords, 4,717 cookies, 719 autofill entries, credit card data, and a crypto wallet, all from a single host. That kind of haul can unlock banking systems, business accounts, and cloud services in one shot.
Hackers Use OnyxC2 Malware-as-a-Service
The breadth of OnyxC2’s target list sets it apart from simpler stealers. It reaches 37 Chromium-based browsers and 8 Gecko-based browsers, plus 95 Chromium and 14 Gecko extensions, including 6 dedicated two-factor authentication tools. Even accounts protected by 2FA are not safe from this threat.
The stealer also covers 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, and 5 email clients. A stealer that grabs password manager data alongside active session cookies can access accounts even after a victim changes their password. The FTP and email targets push its reach beyond personal accounts and into business systems that finance and operations teams use every day.
Beyond credential theft, OnyxC2 bundles a full remote-access toolkit. Operators can use HVNC to control a hidden browser session, run a keylogger, take screenshots, and manage files remotely.
The emergence of OnyxC2 underscores the growing sophistication and accessibility of malware-as-a-service platforms. By offering comprehensive tools with extensive reach, these services lower the barrier to entry for cybercriminals, enabling widespread credential theft and unauthorized access to sensitive information. Organizations must enhance their security measures, including regular software updates, employee training on phishing tactics, and the implementation of advanced threat detection systems, to mitigate the risks posed by such evolving threats.
