ARKANIX Stealer operated as a malware-as-a-service one-shot campaign, with its developer first advertising the infostealer in October 2025 and likely ceasing operations in December 2025 when its control panel and Discord channel disappeared, according to Kaspersky.
Implemented in both C++ and Python, the malware exfiltrates system information, browser data, and files, and could harvest data from 22 browsers, including history, autofill information, passwords, cookies, and 0Auth2 data, as well as Telegram messages and Discord credentials. The MaaS offered a configurable control panel and a Chrome post-exploitation tool named ChromElevator, delivered via a native C++ version and capable of gathering cryptocurrency wallet data.
The Python variant was deployed via a script and could dynamically modify its configuration by making GET requests to a remote server. Kaspersky notes the campaign tended to be short-lived for quick financial gain, with the panel and Discord chat taken down around December 2025, leaving no traces of a resurgence.