RESEARCHERS have uncovered a new malware‑as‑a‑service platform called OnyxC2 that steals data from more than 210 applications by exploiting DLL sideloading, with rental prices starting at $250 per month according to SecurityAffairs.
The service leverages a side‑loading technique where a legitimate executable loads a malicious DLL, allowing the payload to run with trusted privileges while remaining hidden from many scanners.
Once inside a host, OnyxC2 can harvest credentials from browsers, email clients, password managers and cryptocurrency wallets, and it supplies remote access functions such as keylogging, screen capture and session hijacking, all tunneled through TOR to obscure its traffic.
BlackFog researchers who analysed the stealer noted that it uses encrypted payloads and offers a service guarantee promising undetected delivery, while developers also provide pre‑made lure installers to simplify distribution as detailed in their report.
The service is offered on a cybercrime network with tiered pricing that mirrors legitimate software, ranging from basic access to full source code purchases as reported by SecurityWeek.
Defenders should watch for unexpected DLL loads in trusted binaries, enforce application control policies that only allow signed libraries from known vendors, and deploy behavioural analytics that flag processes injecting code into legitimate processes.
Additionally, keeping endpoint software up to date, restricting user privileges to prevent the execution of unsigned files, and educating staff about the dangers of unofficial installers will reduce the chance of infection.
Security teams are advised to block known command‑and‑control domains associated with the OnyxC2 infrastructure and to share indicators of compromise with trusted information sharing groups to help protect the wider community.