Step 1: Initial Access and Distribution Vectors
Initial compromise typically relies on high-fidelity social engineering, SEO poisoning, or compromised software distributions. Threat actors often distribute the malware via Trojanized Professional Software disguised as cracked versions of popular design and editing software packages. Another major vector includes weaponized 3D assets uploaded to public repositories that execute embedded scripts immediately upon opening. Additionally, web-based ClickFix attack paths are used to trick users into running PowerShell scripts disguised as mandatory browser updates.
Step 2: Loader Execution and Anti-Analysis Safeguards
Once a user executes the initial file, a lightweight downloader script is initiated. A common payload vector observed in these campaigns is a PowerShell wrapper designed to run with elevated execution policies. To evade automated sandbox analysis, the threat actors apply binary padding to the main Stealc_v2 executable. By inflating the size of the binary with junk bytes, the file size often exceeds 100MB or even 1GB. Because many traditional antivirus scanners bypass files over a certain size to conserve system resources, this simple technique frequently succeeds in slipping past perimeter defenses.
Step 3: Process Injection and Memory Manipulation
After bypassing the primary file scanners, the loader resolves critical Windows API functions dynamically. Using direct syscalls to bypass system monitoring APIs, the malware interacts directly with the kernel to allocate memory and inject its core payload. Standard APIs utilized during this phase include VirtualAlloc and NtProtectVirtualMemory to prepare memory regions for shellcode, NtWriteVirtualMemory to inject the decrypted payload into a legitimate system process, and CreateThread to execute the payload within the context of the target process.
Step 4: Information Harvesting and Browser Exploitation
Once memory injection is complete, the malware actively scans the user profile directory to locate and harvest credentials, cryptocurrency wallets, and communication histories. The primary targets include autofill data from over 20 Chromium and Gecko-based browsers, desktop session tokens for platforms like Telegram and Discord, and private keys from active cryptocurrency extensions. The malware also features a built-in module designed to capture full-screen screenshots across multiple active monitors, providing attackers with immediate visual context of the victim's workspace.
Step 5: Command and Control Exfiltration
The harvested data is quickly compressed into an encrypted archive and prepared for exfiltration. In previous versions, exfiltration occurred exclusively via direct HTTP POST requests to customized web endpoints. With the inclusion of the Telegram bot builder in the Stealc_v2 source code leak, operators can now program the malware to send real-time notifications directly to their private Telegram channels. Whenever a user with high-privileged credentials or significant cryptocurrency assets is compromised, the operator receives an immediate, automated alert detailing the stolen data.