111/69 Tuesday, February 24, 2026
Researchers from Kaspersky have uncovered a data-stealing malware operation known as Arkanix Stealer, which was actively promoted in late 2025. Evidence suggests that the malware may have been developed with the assistance of large language models (LLMs) or AI tools, significantly reducing development time and cost. The project was marketed as a publicly available service with supporting infrastructure, including an administrative dashboard and a Discord server for user communication. However, the developer shut down these channels just two months after launch, making tracking and detection more challenging.
Arkanix was offered in two tiers: a basic version written in Python and a premium version developed in C++. The premium edition included enhanced antivirus evasion capabilities and anti-analysis protections using VMProtect. The malware is capable of stealing system information, browsing history, cookies, saved passwords, and cryptocurrency wallet data from over 22 browsers. It can extract OAuth2 tokens from Chromium-based browsers, steal data from Telegram and Discord applications, and harvest credentials from VPN services such as NordVPN and ExpressVPN.
The premium version further expands its functionality to include RDP credential theft, anti-sandbox and anti-debugging techniques to resist analysis, and deployment of a tool called ChromElevator. This tool uses code injection techniques to bypass Google’s App-Bound Encryption (ABE) protections within browser processes. Researchers assess that Arkanix may have been designed either as a short-term profit-driven project or as an experimental platform to test AI-assisted malware development and feature enhancement before being incorporated into more sophisticated cyberattack campaigns in the future.
