Deep Dive into Arkanix Stealer and its Infrastructure

    Tuesday, January 6, 2026 In: Threat Research Print

    Date: 01/06/2026

    Severity: Medium

    Summary

    Arkanix Stealer is an actively developed credential-stealing malware promoted mainly on Discord, where its operators advertise frequent updates and new features. Originally written in Python, the malware has evolved to include a C++ “Premium” version with expanded theft capabilities such as VPN and Steam accounts, screenshots, and Wi-Fi credentials. Both variants are distributed through Discord and online forums under the guise of legitimate tools, while VMProtect obfuscation is used to evade analysis and detection.

    Indicators of Compromise (IOC) List

    Urls/Domains

    https://arkanix.pw/api/upload/direct

    IP Address

    195.246.231.60

    93.95.226.152

    Hash

    6960d27fea1f5b28565cd240977b531cc8a195188fc81fa24c924da4f59a1389

    99b8d3e04f6b16f3b79391360602ca28651c78a0db2f3868fec11eca71727a3d

    Filenames

    %temp%\cl_frAQBc8W.exe

    %temp%\stealer_debug.txt

    %temp%\stealer_log.txt

    %temp%\upload_debug.txt

    %temp%\signature_debug.txt

    %temp%\stealer_final.txt

    %temp%\arkanix_data.zip

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 :

    domainname like "https://arkanix.pw/api/upload/direct" or siteurl like "https://arkanix.pw/api/upload/direct" or url like "https://arkanix.pw/api/upload/direct"

    Detection Query 2 :

    dstipaddress IN ("195.246.231.60","93.95.226.152") or srcipaddress IN ("195.246.231.60","93.95.226.152")

    Detection Query 3 :

    sha256hash IN ("99b8d3e04f6b16f3b79391360602ca28651c78a0db2f3868fec11eca71727a3d","6960d27fea1f5b28565cd240977b531cc8a195188fc81fa24c924da4f59a1389")

    Detection Query 4 :

    resourcename = "Windows Security" AND eventtype = "4663" AND objectname IN ("%temp%\cl_frAQBc8W.exe","%temp%\stealer_debug.txt","%temp%\stealer_log.txt","%temp%\upload_debug.txt","%temp%\signature_debug.txt","%temp%\stealer_final.txt","%temp%\arkanix_data.zip")

    Detection Query 5 :

    technologygroup = "EDR" AND objectname IN ("%temp%\cl_frAQBc8W.exe","%temp%\stealer_debug.txt","%temp%\stealer_log.txt","%temp%\upload_debug.txt","%temp%\signature_debug.txt","%temp%\stealer_final.txt","%temp%\arkanix_data.zip")

    Reference:

    https://www.dexpose.io/deep-dive-into-arkanix-stealer-and-its-infrastructure/#Stealer_Capabilities_and_Functionality


    Tags

    MalwareStealerDiscordPython

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.