Warning: AI‑Powered Arkanix Stealer Malware Targets All 22 Browser Wallets

Introduction: A new information‑stealing malware named Arkanix Stealer is being widely promoted on dark‑web forums, and it is reportedly developed with the assistance of large language models, dramatically lowering the technical barrier for cybercriminals.

1. Event Overview: Dark‑Web "Star" Product

At the end of 2025, Arkanix Stealer began appearing on multiple underground forums. Kaspersky researchers identified clear AI‑generated traces in its code, indicating that a large language model helped create it, which shortens development time and enables low‑skill attackers to produce sophisticated malware.

Attackers even operate a Discord server for "post‑sale support," providing updates, feature feedback, and technical assistance, mimicking a legitimate software product.

2. Technical Dissection: Dual‑Version Architecture

Arkanix offers two versions to satisfy different "customer needs":

Basic Version (Python implementation)

Collects system information

Steals browser data (history, cookies, passwords, autofill)

Supports cryptocurrency wallets of 22 browsers

Steals Telegram and Discord credentials

Steals VPN accounts (Mullvad, NordVPN, ExpressVPN, etc.)

Advanced Version (Native C++)

Built on the basic version, it adds:

RDP credential theft

Anti‑sandbox and anti‑debug detection

Screen capture via WinAPI

Game platform account theft (Epic Games, Battle.net, Steam, etc.)

ChromElevator tool : injects into browser processes, bypasses Google’s application‑bound encryption (ABE), and extracts user credentials

3. Remarkable Data‑Theft Capabilities

Browser and Wallets

Supports major browsers such as Chrome, Firefox, Edge

Targets 22 cryptocurrency wallets including MetaMask, Exodus, Trust Wallet, Binance, etc.

Steals OAuth2 tokens

Communication and Social

Telegram and Discord account passwords

Uses the Discord API to automatically spread malicious messages to contacts

Files and VPN

Packs and exfiltrates local files

Harvests VPN credentials for NordVPN, Mullvad, ProtonVPN, and others

Modular Extensions

Additional modules can be downloaded from the C2 server, including:

Chrome information‑stealing tool

Exodus/Atomic wallet patches

Screen‑capture utility

HVNC remote control

Stealing modules for Steam, FileZilla, and other applications

4. Significance of AI‑Assisted Development

Kaspersky researchers note: "The code contains traces of large‑language‑model generation, which can dramatically reduce development time and cost."

Malware development barriers are greatly lowered

Amateur attackers can produce professional‑grade trojans

Development cycles shrink from months to weeks

Feature iteration speeds up and code quality improves

Arkanix resembles a commercial software product more than a hidden trojan.

5. Enterprise Protection Recommendations

Endpoint Protection

Deploy EDR/endpoint security solutions to detect information‑stealing behavior

Monitor browser‑process injection, especially abnormal memory operations

Restrict PowerShell and cmd execution unless necessary

Email and Communication Security

Beware of "tools" distributed via Discord or Telegram

Do not download software from unknown sources

Even seemingly legitimate GitHub projects should be scrutinized

Cryptocurrency Security

Use hardware wallets to avoid storing private keys in browser extensions

Enable multi‑signature protection

Regularly audit wallet authorizations

Emergency Measures

If infection is detected, immediately change all account passwords

Revoke all saved browser login credentials

Check Discord/Telegram for abnormal message‑sending activity

Conclusion: The Other Side of AI’s Double‑Edged Sword

While AI boosts productivity, it also lowers the threshold for cybercrime. Arkanix Stealer is not an isolated case but signals the start of a broader trend.

Both enterprises and individuals must raise security awareness: free tools can be costly, and software of unknown provenance may act as a time‑bomb.

When AI becomes a hacker’s "programming assistant," defensive systems must evolve—from passive protection to proactive detection, and from point solutions to full‑stack monitoring.

This article is compiled from Kaspersky security research reports for reference only.