Arkanix Stealer Emerges as Brief AI-Driven Data Theft Experiment
An information-stealing malware called Arkanix Stealer emerged in late 2025. This operation appeared predominantly on dark web forums, showcasing its potential use of artificial intelligence in development.
Overview of Arkanix Stealer
According to Kaspersky researchers, Arkanix was potentially designed as a brief experiment. It featured a control panel and a dedicated Discord server, which facilitated communication among users. However, these resources were removed just two months after launch.
Key Features
- Standard data-stealing capabilities familiar to cybercriminals.
- Modular architecture designed for flexibility.
- Anti-analysis features to evade detection.
Promotion and Availability
Arkanix began promotion on hacker forums in October 2025. It offered two service tiers: a basic Python implementation and a premium version with a native C++ payload. The premium version employed VMProtect for added protection and included advanced features for evading antivirus tools.
Community and Referrals
A Discord server served as a forum for updates and feedback. To encourage customer growth, a referral program offered incentives, including free access to the premium version for new customers, and additional hours of access for referrers.
Data-Stealing Capabilities
Arkanix Stealer can extract a wide range of information, including:
- System information.
- Browser data such as history and cookies.
- Password and cryptocurrency wallet data from 22 different browsers.
Additionally, it can target:
- OAuth2 tokens from Chromium-based browsers.
- Data from messaging platforms like Telegram and Discord.
- Credentials for various VPN services.
Advanced Features of the Premium Version
The premium C++ edition of Arkanix includes:
- Remote Desktop Protocol (RDP) credential theft.
- Anti-sandbox and anti-debugging checks.
- WinAPI-powered screen capturing.
- Tools for targeting gaming platforms like Epic Games and Riot.
ChromElevator Tool
This feature allows the malware to inject into suspended browser processes, bypassing Google’s encryption mechanisms and facilitating further data theft.
Purpose and Implications
The actual intent behind the Arkanix Stealer project remains uncertain. It may reflect an effort to explore how AI aids in malware development and feature rollout. Kaspersky researchers categorize the Arkanix operation as closer to a “public software product” than a traditional malicious tool.
To assist in tracking, Kaspersky has provided a comprehensive list of indicators of compromise (IoCs), which includes file hashes and associated domains and IP addresses.
