A new malware-as-a-service (MaaS) platform called OnyxC2 has surfaced on underground cybercrime forums earlier this year, offering subscribers a sophisticated stealer and command-and-control framework capable of harvesting data from more than 210 applications. Delivered through a tiered subscription model that mirrors legitimate software pricing, the tool lowers the technical barrier for conducting enterprise-grade data theft operations.
According to Security Affairs, OnyxC2 combines DLL sideloading techniques with encrypted payloads and remote access capabilities to slip past conventional detection mechanisms. The platform is engineered to exfiltrate credentials, session tokens, browser data, and other sensitive information from a wide range of desktop applications.
Tiered Pricing for Digital Crime
What distinguishes OnyxC2 from many commodity stealers is its explicit commercial structure. The platform is reportedly offered across three subscription tiers:
- Standard build at $250 per month, providing core stealer and C2 functionality
- Premium tier at $500 per month, adding Hidden Virtual Network Computing (HVNC) capabilities that allow attackers to remotely interact with a victim's desktop without their knowledge
- A top-tier package at $6,000, the full scope of which was not detailed in the available reporting
The HVNC component is particularly alarming for defenders. It enables operators to take full control of a compromised machine's graphical interface — opening browsers, navigating applications, and performing actions as though physically seated at the victim's workstation. This goes well beyond traditional credential theft, offering attackers persistent, real-time access to a target's digital environment.
The SaaS-ification of Cybercrime
OnyxC2 exemplifies a broader and accelerating shift in the cybercrime economy: the professionalization and commoditization of attack tooling. Much like legitimate cloud software vendors, the operators behind OnyxC2 have adopted subscription pricing, feature-tier differentiation, and presumably ongoing updates and support.
This model dramatically lowers the barrier to entry for sophisticated data-theft campaigns. A would-be attacker no longer needs deep technical expertise to craft a stealer from scratch or reverse-engineer existing malware. Instead, they can subscribe to an off-the-shelf solution with features — from encrypted payload delivery to stealthy persistence mechanisms like DLL sideloading — that were once the preserve of well-resourced threat groups.
The DLL sideloading technique exploited by OnyxC2 is a well-documented but persistently effective evasion method. By loading malicious code through a legitimate signed binary, the malware bypasses application whitelisting controls and evades endpoint security tools that trust the parent process. Paired with encrypted payloads, this makes both static and behavioural detection considerably more difficult.
210-Plus Targets Undermine Simple Advice
The platform's claimed ability to target over 210 applications signals an extensive data-harvesting scope. This likely spans popular web browsers, email clients, cryptocurrency wallets, messaging platforms, VPN clients, and password managers — essentially any application that stores valuable credentials or session data locally.
For IT security teams, the breadth of targeted applications means that traditional guidance to use a niche browser or avoid storing credentials locally offers diminishing returns. The MaaS business model ensures these tools are continuously updated to cover newly popular applications and emerging targets, rendering perimeter-of-one strategies increasingly obsolete.
Defending Against the MaaS Wave
The emergence of platforms like OnyxC2 underscores the need for defence-in-depth strategies that assume perimeter controls will be bypassed. Endpoint detection and response (EDR) solutions should be tuned to flag anomalous DLL loading patterns and HVNC-style remote desktop activity. Network-level monitoring for unusual command-and-control traffic patterns provides another essential layer.
Organisations should also harden their credential posture — enforcing multi-factor authentication across critical systems, limiting local credential storage where technically feasible, and segmenting networks to contain the blast radius of any successful compromise.
As the cybercrime-as-a-service market continues to mature, the capability gap between state-sponsored tooling and commercially available malware is narrowing fast. OnyxC2 is a stark reminder that sophisticated attack capabilities are no longer reserved for advanced threat actors — they are available to anyone willing to pay the subscription fee.
一個名為 OnyxC2 的惡意軟件即服務平台今年較早前於地下網絡犯罪論壇上浮現,向訂閱者提供一套精密的竊取器和指揮與控制框架,能夠從超過 210 個應用程式中收集數據。該工具通過分層訂閱模式交付,其定價方式仿效合法軟件,降低了實施企業級數據竊取操作的技術門檻。
據《Security Affairs》報導,OnyxC2 結合了 DLL 側載技術、加密有效載荷和遠端存取能力,以繞過傳統檢測機制。該平台旨在從各種桌面應用程式中竊取憑證、工作階段權杖、瀏覽器數據及其他敏感資訊。
數碼犯罪的分層定價
OnyxC2 與許多普通竊取器的不同之處在於其明確的商業結構。據報導,該平台提供三種訂閱層級:
- 標準版 每月 250 美元,提供核心竊取器和 C2 功能
- 進階版 每月 500 美元,增加隱藏式虛擬網絡運算功能,使攻擊者能在受害者不知情的情況下遠端操作其桌面
- 頂級套餐 6,000 美元,現有報導中未有詳述其完整內容
HVNC 組件對於防禦者來說尤其令人擔憂。它使操作者能夠完全控制被入侵機器的圖形介面——打開瀏覽器、導航應用程式,並像坐在受害者的工作站前一樣執行操作。這遠遠超出了傳統的憑證竊取範圍,為攻擊者提供了對目標數碼環境的持久、即時存取。
網絡犯罪的軟件即服務化
OnyxC2 體現了網絡犯罪經濟中一個更廣泛且加速的轉變:攻擊工具的專業化和商品化。與合法的雲端軟件供應商非常相似,OnyxC2 背後的操作者採用了訂閱定價、功能分層差異化,以及推測中的持續更新和支持。
這種模式極大地降低了發起複雜數據竊取活動的門檻。潛在的攻擊者不再需要深厚的技術專業知識來從頭開始編寫竊取器或對現有惡意軟件進行逆向工程。相反,他們可以訂閱一個現成的解決方案,其功能——從加密有效載荷傳遞到如 DLL 側載這樣的隱蔽持久化機制——曾經是資源豐富的威脅組織才擁有的專利。
OnyxC2 所利用的 DLL 側載技術是一種記錄詳明但始終有效的規避方法。通過加載由合法簽名二進位文件提供的惡意代碼,該惡意軟件繞過了應用程式白名單控制,並規避了信任父程序的端點安全工具。結合加密有效載荷,這使得靜態和行為檢測都變得相當困難。
超過 210 個目標使簡單建議失效
該平台聲稱能夠瞄準超過 210 個應用程式,這表明其數據收集範圍極為廣泛。這很可能涵蓋流行的網絡瀏覽器、電子郵件客戶端、加密貨幣錢包、即時通訊平台、VPN 客戶端和密碼管理器——本質上是任何在本地儲存有價值憑證或工作階段數據的應用程式。
對於 IT 安全團隊而言,目標應用程式的廣泛性意味著,使用小眾瀏覽器或避免在本地儲存憑證等傳統指導原則的效益正在遞減。MaaS 業務模式確保這些工具會持續更新,以涵蓋新興流行的應用程式和目標,使得單點防禦策略日益過時。
防禦 MaaS 浪潮
像 OnyxC2 這樣的平台的出現,凸顯了採用縱深防禦策略的必要性,這些策略應假設邊界控制將被繞過。端點偵測與回應解決方案應調整設定,以標記異常的 DLL 載入模式和 HVNC 式的遠端桌面活動。針對異常指揮與控制流量模式進行網絡層級監控,提供了另一個必不可少的防禦層。
組織也應強化其憑證安全態勢——在關鍵系統中強制執行多因素身份驗證,在技術可行的範圍內限制本地憑證儲存,並使用網路分段來限制任何成功入侵的破壞範圍。
隨著網絡犯罪即服務市場持續成熟,國家級工具與市售惡意軟件之間的能力差距正在迅速縮小。OnyxC2 明確提醒我們,複雜的攻擊能力不再僅限於高級威脅行為者——它們對任何願意支付訂閱費的人來說都是可用的。