What Happened
Security researchers published a detailed analysis of OnyxC2, a new Malware-as-a-Service (MaaS) infostealer that has begun circulating in underground markets. The service costs $250 per month and provides subscribers with a credential-theft tool targeting over 210 applications and browser extensions, including Chromium-based and Gecko-based browsers, two-factor authentication extensions, password managers, cryptocurrency wallets, FTP clients, VPN clients, email clients, and remote access tools.
The stealer’s core is written in C++ with assembly-level direct syscalls to bypass user-mode security hooks. Each build is uniquely mutated, and the developer claims a 99% evasion rate against signature-based detection. Delivery relies on DLL sideloading: a legitimate application signed with a valid Authenticode certificate loads a malicious DLL disguised as a trusted library component, such as an NVIDIA graphics module. One observed infection extracted 55 saved passwords, 4,717 cookies, 719 autofill entries, two payment cards, and a cryptocurrency wallet from a single host in one session.
Why This Matters for Canadian Organizations
The infostealer-to-ransomware pipeline is now the primary breach pathway for Canadian organizations. Vidar, the dominant infostealer tracked across 73% of infected hosts in Q1 2026, demonstrated how stolen session cookies allow threat actors to bypass MFA entirely — OnyxC2 targets the same category of credential. At $250 per month, the tool is accessible to low-sophistication threat actors who previously lacked the development capability to build their own stealer.
For Canadian financial services firms operating under OSFI B-13, the threat model is concrete: OnyxC2 targets VPN clients, remote access tools, and password managers that employees use to access core banking systems, treasury platforms, and regulatory reporting portals. A single infected endpoint that holds an employee’s saved VPN credentials or password manager database gives an attacker authenticated access to the internal network. The PIPEDA breach reporting threshold — real risk of significant harm — is met the moment financial data, SIN-adjacent records, or health information is extracted. FINTRAC-registered businesses face additional obligations if cryptocurrency wallets belonging to clients are in scope of a theft.
What to Do
Block DLL sideloading vectors at the endpoint by enabling Microsoft’s Vulnerable Driver Blocklist and deploying application control policies that restrict unsigned DLL loading from user-writable directories. Audit endpoint protection coverage to confirm your EDR vendor’s detection capability against mutated stealers — do not rely on signature-based detection alone. Enforce phishing-resistant MFA (FIDO2/passkey) on all remote access, VPN, and SaaS applications; session cookies stolen by OnyxC2 defeat TOTP-based MFA but not hardware-bound keys. Consider deploying browser isolation or credential isolation tools in high-value environments. Review password manager deployment policies: enterprise password managers with hardware-bound vaults provide substantially better protection than browser-saved credentials. Monitor for infostealer-related indicators on dark web forums, as stolen credentials frequently appear for sale within hours of a successful infection.
Original reporting: SecurityWeek
