Arkanix Stealer Emerges as AI-Assisted Infostealer Experiment Targeting Credentials and Wallets

What happened

Security researchers at Kaspersky analyzed a malware operation called Arkanix Stealer, promoted on dark web forums in late 2025, which appears to have been developed using large language model assistance and operated as a malware-as-a-service offering. The malware included a control panel, Discord community, and modular architecture capable of stealing browser credentials, cryptocurrency wallet data, VPN credentials, Telegram and Discord accounts, and files from infected systems. The stealer offered both Python-based and C++ variants with advanced features such as anti-analysis protections, wallet injection, RDP credential theft, and tools designed to bypass browser encryption protections. The project was shut down by its developer approximately two months after launch, suggesting it was a short-lived experiment in AI-assisted malware development. 

Who is affected

Users and organizations whose systems were infected with Arkanix Stealer, particularly those using browsers, cryptocurrency wallets, VPN services, or communication platforms such as Telegram and Discord, are affected, as the malware targets credentials and sensitive data stored on compromised systems. 

Why CISOs should care

The malware demonstrates how AI-assisted development can accelerate the creation and deployment of credential-stealing tools, enabling rapid experimentation and distribution of infostealers targeting enterprise and personal systems. 

3 practical actions

• Monitor endpoints for credential theft indicators. Detect unauthorized access to browser, VPN, and cryptocurrency wallet data. 
• Block known malware infrastructure. Use indicators of compromise including domains, hashes, and IP addresses linked to Arkanix operations. 
• Audit systems for persistence and data exfiltration activity. Identify suspicious processes, file archiving, or credential harvesting behavior.