Malware developers themselves fell victim to a vulnerability they hadn't noticed in their own infrastructure. The case concerns the widespread infostealer StealC, a malware-as-a-service tool actively used to steal cookies, passwords, and other sensitive data. Despite the product's seemingly "professional" appearance—with a user-friendly control panel, campaign tracking system, and ostensible operational security—vulnerabilities in its web interface turned against its creators.
The transition to the second version of StealC in the spring of 2025 was marked by a series of setbacks. Almost immediately after the release, the source code for the control panel leaked, and the TRAC Labs team released a technical review aptly titled "Autopsy of a Failed Stealer." However, a more important episode escaped the headlines: a vulnerability in the panel allowed specialists to access the attackers' data, including system fingerprints, active sessions, stolen cookies, and the IP addresses from which the panel was accessed.
The XSS bug in the StealC panel was so simple that it allowed attackers to connect to and control the attackers' sessions from third-party machines. Experts note the irony of the situation: the developers of the mass cookie theft tool failed to ensure even basic protection for their own data, ignoring security features such as httpOnly.
An operator designated as YouTubeTA attracted particular attention from researchers. Its malicious campaigns were built using old YouTube accounts that had previously uploaded legitimate videos. Over time, these accounts began distributing malicious files disguised as cracked versions of Adobe software.
