In a ‘Reverse Uno’ move, security researchers at CyberArk exploited a flaw in the backend of a cookie-stealing malware service, so they stole their cookies to find out more about them.
“Criminal infrastructure often fails for the same reasons that it succeeds: it is rushed, reused, and poorly secured,” Ari Novick, a malware researcher at CyberArk Labs, writes in a blog that details how his team stole cookies from the cookie thieves.
Novick’s report details how, in the case of infostealer StealC, that thin line between the attacker and victim turned out to be “highly exploitable”.
StealC, which is sold as Malware-as-a-Service (MaaS) and is marketed to criminals who want to steal cookies, passwords, and other sensitive data from infected computers, has been operating since 2023 according to CyberArk.
Like many MaaS offerings, it comes with “a polished web panel, campaign tracking, and just enough operational security to appear professional.”
In spring 2025, StealC developers released a major update but their web panel leaked followed by TRAC Labs publishing a technical analysis that questioned the malware’s “quality and maturity."
However, CyberArk spotted an additional flaw while it was analyzing the leaked panel code that allowed them to observe and interact with StealC operators.
Researchers then took the opportunity to collect system fingerprints, monitor active sessions, and of course, steal cookies from the very infrastructure designed to steal them.
The way in: simple XSS vulnerability
“It didn’t take much effort for us to find a simple XSS vulnerability in the panel,” said Novick, adding that CyberArk would not share the details “to avoid helping StealC developers patch the issue or enabling any would-be StealC copycats.”
Exploiting it let researchers identify “characteristics of the threat actor’s computers, including general location indicators and computer hardware details.”
More importantly they could retrieve active cookie sessions: allowing them to gain control of sessions remotely.
CyberArk couldn’t resist pointing out the absurdity: given that StealC’s business is cookie theft, you might expect its operators to implement protections like “HttpOnly.”
Instead, “an operation built around large-scale cookie theft failed to protect its own session cookies from a textbook attack.”
Hijacking YouTube accounts to spread malware
Once it was on the inside, CyberArk focused on a single StealC operator it named “YouTubeTA” (short for YouTube Threat Actor) after their campaign built IDs which included “YouTube, YouTube2, and YouTubeNew”.
This wasn’t a small operation. YouTubeTA had over 5,000 logs stolen on their server, containing over 390,000 stolen passwords and more than 30 million stolen cookies.
According to CyberArk, the campaign naming suggested StealC was being distributed by YouTube.
This is a handy platform for cybercriminals looking to take advantage of people trying to get their hands on free software.
People look up “Photoshop crack 2025” the same way as they might search for a tutorial, and YouTube’s format (videos and comments, etc.) can make it feel more trustworthy than a random download site.
Because StealC takes screenshots when it runs and sends the screenshot to its server, CyberArk could see from this that the main targets were people looking for pirated versions of Adobe Photoshop and Adobe After Effects.
The researcher notes that the distribution channels look believable. Many had “several legitimate-looking videos posted a relatively long time ago,” “thousands of subscribers,” and then long gaps of inactivity before suddenly switching to pirated software.
In CyberArk’s view, “YouTubeTA was likely using StealC to take over old YouTube accounts, and reuse them to distribute malware, most probably via a clickfix page.“
StealC’s panel also included markers to highlight credentials stolen from specific domains. In this threat actor’s case, “studio.youtube.com is given its own category,” which CyberArk says supports the idea that the actor was targeting creator accounts, likely to take over established channels and reuse them to distribute malware.
Identifying the operator and VPN slip up
According to CyberArk, several indicators suggest YouTubeTA was “a single threat actor” rather than a group.
“For one, the panel supports multiple users, but here we only see a single user: Admin.”
Hardware fingerprinting revealed that screen dimensions didn’t change, and WebGI checks showed an “Apple Pro device with an M3 processor”.
Language settings were “English and Russian” while timezone data showed “GMT+0300 (Eastern European Summer Time)," narrowing the likely region.
Finally, the obvious giveaway: an IP slip up. Like most threat actors YouTubeTA used a VPN – but not always. In mid-July, CyberArk saw an access attempt where the address didn’t appear to be a VPN.
After checking multiple tools, the IP mapped to a Ukrainian ISP called “TRK Cable TV”, consistent with their other indicators.
MaaS scales, but so do its failures
CyberArk’s verdict is that YouTubeTA “despite being a single operator, was dangerously successful” in stealing huge volumes of credentials in “just a few short months.”
It is also a reminder that MaaS is not just a way to scale attacks – it’s a way to inherit someone else’s security problems.
By relying on third-party tooling, operators become vulnerable to “the same kind of supply chain risks regular industries struggle with.”
In this case, weaknesses in StealC’s panel and cookie handling gave defenders a rare view inside the operation – and a chance to steal a few cookies back.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked