ThePennyC2 Stealer Emerges as New Information Threat
A new malware variant known as ThePennyC2 has been identified in underground circles, designed to exfiltrate sensitive data from Chromium-based browsers.

A new malware variant known as ThePennyC2 has been identified in underground circles, designed to exfiltrate sensitive data from Chromium-based browsers.

ThePennyC2 is a recently observed information-stealing malware currently being marketed in underground forums. Allegedly derived from or rebranded from the existing Lich Stealer, this tool is designed to systematically harvest sensitive data directly from the local environment of a target system. By focusing on Chromium-based browsers, the malware gains access to a wealth of user information that can be leveraged for account takeover, identity theft, or further infiltration into corporate networks.

The threat actor behind this tool claims that it can extract saved passwords, browser cookies, credit card details, browsing history, autofill data, and even downloaded files. For an enterprise, the risk posed by such malware extends beyond individual account compromises. Cookies, in particular, represent a significant danger if stolen, as they can often be used to bypass multi-factor authentication (MFA) and gain session-based access to enterprise cloud environments and SaaS applications.
Information stealers have become a primary vector for initial access in modern cyber attacks. Unlike traditional malware that might focus on system disruption, tools like ThePennyC2 focus on silent exfiltration. Once an adversary obtains an employee's session cookies or saved credentials, they do not need to exploit a complex vulnerability or bypass a firewall to gain entry. They simply walk through the front door using stolen, valid authentication tokens.
To assess your organization's exposure to such threats, it is critical to perform regular audits of your digital footprint. If the domain already looks exposed, use Dark Web Scanner before requesting a full report. Our proactive approach ensures that leaked credentials or malware log signals associated with your domain are identified before they are weaponized by adversaries.
Defending against malware such as ThePennyC2 requires a multi-layered approach to identity and endpoint security. Organizations should ensure that they have robust vulnerability assessments to identify gaps that might allow malware to gain a foothold on the network. Beyond patching, it is essential to focus on behavioral monitoring and the implementation of least-privilege principles to limit the impact of a potential breach.
Free exposure check
Dark Web Scanner
check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.
Continuous monitoring through Dark Web Monitoring provides the visibility needed to respond to identity compromises in real time. By understanding the tools used by adversaries, enterprises can better tailor their defensive posture to detect exfiltration attempts early and rotate compromised credentials before they are used in high-impact campaigns.
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
The alleged sale of the Stealc_v2 information-stealing malware source code on the exploit.in forum introduces major corporate security challenges. Featuring a PHP administration panel, customizable builders, and Telegram bot integrations, this leak enables rapid deployment of stealthy credential-harvesting campaigns.

June 21, 2026
An emerging macOS-based RAT and information stealer has surfaced, targeting credentials, session tokens, and crypto assets. We analyze the risks to enterprise endpoints and provide guidance on how to strengthen your defenses against this class of threat.

June 25, 2026
A threat actor is selling the source code of the Predator 1.6 remote access trojan and file binder on the cybercrime forum Spear. This development lowers the technical barrier for deploying persistent backdoors, posing immediate security risks that demand behavioral EDR rules and path restrictions.