Overview
- CyberArk exploited a cross-site scripting bug in StealC’s web panel to monitor active sessions and capture session cookies and operator fingerprints.
- The investigation centered on a customer called “YouTubeTA,” tied to about 390,000 stolen passwords and over 30 million cookies, many assessed as non-sensitive tracking data.
- Panel-derived indicators suggest a lone operator using an Apple M3 device with English and Russian settings in an Eastern European time zone, with a July 2025 VPN lapse revealing an IP at Ukrainian ISP TRK Cable TV.
- Researchers say StealC was pushed via cracked-software lures on YouTube using hijacked channels, with additional campaigns leveraging rogue Blender files and ClickFix-like CAPTCHA baits.
- CyberArk withheld technical details of the XSS but faulted the panel’s lack of basic cookie protections such as httpOnly, arguing MaaS code flaws can support attribution and law-enforcement investigations.