OnyxC2: A Sophisticated Credential-Stealing Malware-as-a-Service Emerges A new credential-stealing malware called OnyxC2 has surfaced in the cybercrime underground, offering low-skilled attackers a turnkey solution for large-scale data theft. Sold as a $250/month subscription, the malware provides a full suite of tools to harvest login credentials, two-factor authentication (2FA) codes, crypto wallet data, and more targeting over 210 applications and browser extensions in a single attack. ### Key Features & Capabilities OnyxC2 is marketed like legitimate software, complete with a web dashboard, payload builder, and refund guarantees if builds are detected. The malware is written in C++ with assembly-level evasion techniques, mutating each build to bypass antivirus signatures. Blackfog researchers confirmed its effectiveness two sample builds submitted to VirusTotal returned zero detections upon initial upload, with one remaining undetected as of May 30, 2026. The toolkit includes: - Credential theft from 37 Chromium-based browsers, 8 Gecko-based browsers, and 109 extensions (including 6 2FA tools). - Password manager data extraction (5 targeted), 17 crypto wallets, 11 FTP clients, and 5 email clients. - Remote access tools, including HVNC (hidden virtual network computing), keylogging, screenshot capture, and file management. - Reverse SOCKS5 proxy and Tor tunneling for anonymous traffic routing. A single infected machine in Blackfog’s tests yielded 55 passwords, 4,717 cookies, 719 autofill entries, credit card details, and a crypto wallet enough to compromise banking, business, and cloud accounts in one breach. ### Delivery & Evasion Tactics OnyxC2 spreads via fake installers disguised as legitimate software (e.g., Fling-Standalone, FinePrint, SystemSettings) or fake Windows updates. These archives are password-protected to evade automated scanning. Inside, attackers use DLL sideloading, pairing a legitimately signed executable with a malicious DLL that mimics an NVIDIA graphics library. The DLL is bloated to 120+ MB to bypass size-based antivirus scans, with the payload decrypting only at runtime. ### Infrastructure & Indicators of Compromise Blackfog identified the following command-and-control (C2) infrastructure: - Domain: `akmuniverstall[.]top` (13/94 detections on VirusTotal) - C2 Endpoint: `/backend/api/app.php` - Cloudflare Fronting IPs: `104.18.20.213`, `104.21.46.39`, `172.67.223.39` - Malicious Samples: - Signed sideload host: `41999a3d0da035ff8068905c90235ea50121329cb0661e38d745974ebf5e3ae2` (0/71 detections) - Malicious DLLs: `78945c844fc23dd3446cf17987edeeb6cc21986820c92df82a126af24a5a38d1`, `d89bb4b23a67814ef511e4e9dda7ad36fa519a322fa7c25ea451c7dd7ef61e54` The malware’s stealth and scalability make it a significant threat, particularly for organizations relying on password managers, 2FA, and cloud services. Blackfog’s findings underscore the growing accessibility of high-impact cybercrime tools in the underground market.

Ransomware Evolution Outpaces Incident Response, Fueled by AI and Multi-Stage Extortion Ransomware has rapidly evolved from simple file encryption to a multi-layered threat, overwhelming traditional defense and response strategies. Early attacks involved encrypting data and demanding payment for decryption keys, but cybercriminals have since adopted increasingly aggressive tactics. The shift began with double extortion, where attackers not only encrypted data but also stole it, threatening to leak sensitive information if ransoms went unpaid. This escalated to triple extortion, adding pressure through DDoS attacks, direct harassment of customers or partners, or other coercive measures. Now, a recent BlackFog study warns that ransomware has entered a more dangerous phase one where the speed, scale, and complexity of attacks are outpacing incident response teams. A key driver of this evolution is artificial intelligence. Cybercriminals are leveraging AI to automate reconnaissance, identify vulnerabilities faster, and execute highly targeted attacks with minimal effort. As BlackFog CEO Darren Williams notes, AI is expected to further accelerate attack sophistication, reducing the window for defenders to react and rendering traditional reactive strategies less effective. The limitations of current incident response are stark. While teams focus on restoring systems and ensuring business continuity, they often fail to address data exfiltration a critical component of modern ransomware. Even if operations resume, stolen data remains in attackers’ hands, exposing organizations to prolonged risks, including regulatory penalties, reputational damage, and ongoing extortion threats. Many businesses, facing the prospect of public leaks, feel compelled to pay ransoms, perpetuating the cycle of attacks. Cyber insurance has emerged as a financial safety net, but it is an imperfect solution. Policies often come with strict conditions, limited coverage, and rising premiums, offering little in the way of prevention. The growing threat landscape underscores the need for a proactive defense strategy, particularly one that prioritizes preventing data exfiltration before attacks occur. Without this shift, organizations remain vulnerable to the next generation of ransomware.

New "Steaelite" RAT Emerges as a Potent Threat for Double Extortion Attacks In November 2025, cybersecurity researchers at BlackFog uncovered Steaelite, a sophisticated remote access trojan (RAT) being sold on cybercrime forums. Marketed as "fully undetectable" and the "best Windows RAT," the malware targets Windows 10 and 11 systems, with an Android module reportedly in development. Steaelite operates via a browser-based dashboard, automating data theft the moment a victim connects even before an attacker interacts with the system. It harvests browser-stored passwords, session cookies, and application tokens immediately upon infection. The tool’s interface includes three main sections: - Primary Toolbar: Enables remote code execution, file management, live surveillance (webcam/microphone access), process manipulation, clipboard monitoring, password recovery, and DDoS attacks, among other functions. - Advanced Tools: Provides ransomware deployment, hidden RDP access, Windows Defender disabling, and persistence mechanisms. - Developer Tools: Adds keylogging, client-to-victim chat, USB spreading, cryptocurrency wallet hijacking (via clipboard manipulation), and tools to remove competing malware. A standout feature is its clipper module, which silently replaces cryptocurrency wallet addresses in the clipboard with attacker-controlled ones, enabling theft without the victim’s knowledge. The malware also streamlines double extortion attacks by combining data theft and ransomware deployment in a single interface eliminating the need for separate tools or coordination between cybercriminal groups. Steaelite’s active promotion across forums (with 87 messages at the time of reporting) and a YouTube demonstration video suggests aggressive marketing to expand its buyer base. Once the Android version launches, a single license could compromise both corporate Windows machines and employee mobile devices, amplifying its threat potential. The tool’s automation and integrated capabilities lower the barrier for attackers, making it a significant risk for organizations.

Ransomware Surge in 2025: A Year of Escalating Threats and High-Profile Attacks 2025 marked a sharp escalation in ransomware activity, with cybercriminals deploying increasingly sophisticated tactics to disrupt critical services and extract massive ransoms. Global attacks surged by 34% compared to the previous year, with nearly half targeting essential sectors like energy, transportation, and manufacturing—industries where operational downtime carries severe consequences. One of the most alarming incidents involved Kido International, a UK-based early childhood education provider. In September 2025, attackers stole sensitive data on 8,000 children and staff, including names, photos, and contact details. The breach prompted intervention from the UK’s National Cyber Security Centre (NCSC) and led to arrests linked to the attack. Critical infrastructure faced relentless pressure. In December 2025, Romania’s national water management authority suffered a ransomware strike that encrypted 1,000 computers using Microsoft BitLocker, forcing manual operations to maintain water supply. The attack highlighted vulnerabilities in administrative systems, even when core services remain functional. The Qilin ransomware group emerged as a dominant threat, orchestrating multi-sector attacks across Europe. Targets included educational institutions, financial firms, and regional infrastructure, with some breaches exfiltrating over a terabyte of data. The group’s advanced tactics underscored the growing sophistication of ransomware operations. Commercial and industrial sectors were not spared. Major breaches in finance, healthcare, and entertainment exposed millions of user accounts, with ransom demands reaching tens of millions of dollars in some cases. Attackers frequently employed double or multi-extortion, encrypting systems while stealing data to maximize leverage. The proliferation of ransomware strains—including Qilin, Akira, and Cl0p—further complicated defenses. Many variants exploited unpatched vulnerabilities and weak remote access controls, particularly in industries with legacy systems or complex supply chains, such as manufacturing and healthcare. The surge in 2025 was driven by AI-powered automation, which enabled faster targeting, alongside persistent security gaps in patch management and remote access. As ransomware continues to evolve, organizations face mounting pressure to harden defenses against an increasingly aggressive threat landscape.

Unusual Fog Ransomware Attack on Asian Financial Institution Raises Espionage Concerns A recent cyberattack on an Asian financial institution involving Fog ransomware has drawn attention from researchers due to its atypical tactics, including the use of legitimate employee monitoring software (Syteca) and open-source penetration testing tools—methods rarely seen in ransomware operations. Symantec researchers reported that the attackers deployed GC2, a tool leveraging Google Sheets, Microsoft SharePoint, and cloud storage for command execution and data exfiltration. While GC2 was previously used by Chinese state-backed group APT41 in 2023, its appearance in a ransomware attack marks a first. The attackers also established persistence after deploying ransomware—a departure from typical ransomware behavior, where intruders exit the network post-encryption. The attack, which occurred last month, lasted two weeks before ransomware deployment. Researchers noted that two Microsoft Exchange servers were among the infected machines, a common entry point due to unpatched vulnerabilities. While the initial intrusion vector remains unclear, the use of Syteca—a tool designed for employee monitoring—suggests potential espionage motives, with ransomware possibly serving as a decoy. Fog ransomware, first detected in May 2024, initially targeted U.S. educational institutions, including a high-profile attack on the University of Oklahoma. The group behind it gained notoriety in April for using Elon Musk-themed phishing lures referencing the Department of Government Efficiency (DOGE) in ransom notes. The incident aligns with a broader trend of Chinese state-backed actors using ransomware as cover for espionage, as seen in past attacks across Asia and Oceania, including a 2023 breach of Palau’s government. Symantec has not attributed the attack to a specific threat actor but highlights the unusual persistence and tooling as red flags for potential dual motives—financial gain and intelligence gathering.