ARKANIX Stealer is described as a C++ and Python infostealer that operated under a malware‑as‑a‑service model, providing affiliates with a control panel for configurable payloads and statistics, and a ChromElevator post‑exploitation tool delivered by the native stealer. It was first disclosed in October 2025, with forum posts advertising the Stealer and a Discord server serving as the primary communication channel between authors and users.
The package includes both a Python loader and a native C++ version, with the Python loader capable of downloading and executing the Python variant and dynamically updating its features via GET requests to the attackers’ endpoints. Infrastructure identified for the campaign included the domains arkanix[.]pw and arkanix[.]ru, used to host the stealer panel and related components, with the panel reportedly taken down around December 2025.
The authors promoted the malware through a Discord server and ran a referral programme offering a free hour of premium license to referrers and seven days of free premium access to invited customers, describing features such as wallet injections and increased payload generation. Kaspersky detects these threats under several names, including Trojan-PSW.Win64[.]Coins.* and Trojan.Python[.]Agent.*, treating claims about features and operations as part of the threat’s described capabilities.