Rapidly Evolving Arkanix Stealer Hits Credentials and Wallets

A fast-moving new malware family called Arkanix Stealer is spreading across Discord and online forums, offering cybercriminals a ready-made tool to harvest credentials, crypto wallets, system data, and more. 

Despite being barely a month old, researchers say Arkanix has already evolved from a simple Python-based tool into a fully featured C++ infostealer — signaling aggressive development and a push for short-term financial gain.

“The malware supports collecting information from a variety of Chromium-based browsers,” said G Data researchers.

How Arkanix Stealer Spreads and What It Steals

Arkanix is delivered through seemingly harmless files shared across Discord servers and community forums. 

Once executed, the malware can collect browser data, crypto wallet information, system metadata, VPN credentials, and files that match sensitive patterns. 

The operators offer a Premium tier — gated behind invite codes obtained via Discord — that includes C++ payloads, Steam account theft, Wi-Fi credential harvesting, screenshot capture, and additional support features.

Inside the web panel, attackers can track victims and stolen data in real time, including counts for passwords, wallets, cookies, Discord tokens, Telegram sessions, and other high-value items. 

Premium builds are obfuscated using VMProtect, helping evade detection from traditional antivirus tools and sandboxes.

Inside the Malware Versions

Python Version 

The initial Arkanix build was written in Python and packaged with Nuitka, which bundles compiled Python bytecode together with a portable Python environment. 

Once launched, the loader retrieves the real malicious stealer script from hxxps://arkanix[.]pw/stealer[.]py  — executing it directly in memory when a valid token is supplied.

The Python payload supports broad and configurable data-theft features, including:

• Browser history, autofill data, and stored credit cards
• Cryptocurrency browser extensions (e.g., MetaMask, ExodusWeb3, Binance, Oxygen)
• Desktop, Documents, and Downloads file harvesting
• Wi-Fi profile dumping via netsh
• VPN credentials from NordVPN, Mullvad, ExpressVPN, and ProtonVPN
• Discord token theft and optional self-spreading through DMs and channels

All collected data is uploaded to attacker infrastructure through endpoints such as hxxps://arkanix[.]pw/delivery.

C++ Version 

The newer C++ variant demonstrates more sophistication. Chrome’s App-Bound Encryption (ABE) is designed to prevent one app from decrypting another’s browser data. 

To bypass this, Arkanix uses Chrome Elevator, a post-exploitation tool that injects malicious code directly into a Chrome process — allowing the stealer to decrypt cookies and credentials from Chrome, Edge, and Brave.

Additional C++ capabilities include:

• RDP connection harvesting via .rdp files
• Wallet, cookie, and credential extraction at native runtime
• Direct data upload to hxxps://arkanix[.]pw/api/upload/direct with the user agent ArkanixStealer/2.0

Unlike the Python version, this variant does not include Discord self-propagation in the sample analyzed.

Protecting Your Organization From Arkanix Stealer

Arkanix Stealer demonstrates how quickly modern infostealers can infiltrate an organization by targeting browsers, credentials, and developer systems. 

Because these attacks often spread through trusted tools and everyday communication channels, security teams must adopt a layered defense strategy.

• Monitor endpoints for suspicious Discord-delivered files and block execution of unsigned or unknown binaries.
• Harden browsers by restricting local credential storage, enforcing strong password policies, and keeping browsers and extensions fully patched.
• Monitor network traffic and DNS logs for outbound connections to known Arkanix infrastructure and other suspicious beaconing behavior.
• Rotate exposed credentials, VPN configs, and tokens immediately and enforce strong key hygiene across all developer and user machines.
• Apply least-privilege and segmentation by limiting user permissions and isolating high-risk systems such as developer workstations.
• Detect and block process injection, credential access attempts, and unusual browser data access using EDR, SIEM, and behavioral analytics.
• Strengthen end user and developer security training with guidance on avoiding untrusted tools, Discord-shared executables, and other common infostealer delivery vectors.

Leveraging these controls helps organizations build cyber resilience.

The Rapid Evolution of Commodity Malware

Arkanix Stealer reflects a broader shift in the cybercrime ecosystem: threat actors are rapidly producing short-cycle, high-impact malware designed for quick monetization, often using platforms like Discord to recruit buyers and distribute payloads at scale. 

Its dual implementation in Python and C++ — combining flexible delivery with native-level stealth — signals a growing sophistication among commodity malware developers. 

Together, these trends point to an increasingly professionalized underground economy where speed, adaptability, and cross-platform capability have become core features of modern infostealers.

These trends highlight why zero-trust principles are increasingly important for modern security programs.