ARKANIX Stealer surfaced in late 2025 as a short-lived info-stealer promoted on dark web forums, likely created as an AI-assisted experiment and quickly abandoned. According to Kaspersky, ads for the MaaS offering described a control panel and configurable payloads, with a C++ build embedding ChromElevator and a packed Python version enabling dynamic configuration.
It was likely spread via phishing-themed loaders, and the operation appeared short-lived with its affiliate program later shut down; the ads pointed to a Discord server used as the main communication channel. The initial infection vector remains unclear, but social-engineering loaders suggest phishing was involved, with a Python loader that downloads and runs the stealer after installing required packages, registers the victim with its C2 and fetches the payload.
The stealer collects extensive data including system details, browser data, Telegram and Discord credentials, VPN data and selected user files, encrypting exfiltrated data and packaging results for transfer. Researchers noted the campaign seemed more like a one-shot, AI-assisted development endeavour than a long-running operation.