Category: Uncategorized

Ravie LakshmananJan 19, 2026Malware / Threat Intelligence

Cybersecurity researchers have disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer, allowing them to gather crucial insights on one of the threat actors using the malware in their operations.

“By exploiting it, we were able to collect system fingerprints, monitor active sessions, and – in a twist that will surprise no one – steal cookies from the very infrastructure designed to steal them,” CyberArk researcher Ari Novick said in a report published last week.

StealC is an information stealer that first emerged in January 2023 under a malware-as-a-service (MaaS) model, allowing potential customers to leverage YouTube as a primary mechanism – a phenomenon called the YouTube Ghost Network – to distribute the malicious program by disguising it as cracks for popular software.

Over the past year, the stealer has also been observed being propagated via rogue Blender Foundation files and a social engineering tactic known as FileFix. StealC, in the meantime, received updates of its own, offering Telegram bot integration for sending notifications, enhanced payload delivery, and a redesigned panel. The updated version was codenamed StealC V2.

Weeks later, the source code for the malware’s administration panel was leaked, providing an opportunity for the research community to identify characteristics of the threat actor’s computers, such as general location indicators and computer hardware details, as well as retrieve active session cookies from their own machines.

The exact details of the XSS flaw in the panel have not been disclosed to prevent the developers from plugging the hole or enabling any other copycats from using the leaked panel to try to start their own stealer MaaS offerings.

In general, XSS flaws are a form of client-side injections that allows an attacker to get a susceptible website to execute malicious JavaScript code in the web browser on the victim’s computer when the site is loaded. They arise as a result of not validating and correctly encoding user input, allowing a threat actor to steal cookies, impersonate them, and access sensitive information.

“Given the core business of the StealC group involves cookie theft, you might expect the StealC developers to be cookie experts and to implement basic cookie security features, such as httpOnly, to prevent researchers from stealing cookies via XSS,” Novick said. “The irony is that an operation built around large-scale cookie theft failed to protect its own session cookies from a textbook attack.”

CyberArk also shared details of a StealC customer named YouTubeTA (short for “YouTube Threat Actor”), who has extensively used Google’s video sharing platform to distribute the stealer by advertising cracked versions of Adobe Photoshop and Adobe After Effects, amassing over 5,000 logs that contained 390,000 stolen passwords and more than 30 million stolen cookies. Most of the cookies are assessed to be tracking cookies and other non-sensitive cookies.

It’s suspected that these efforts have enabled the threat actor to seize control of legitimate YouTube accounts and use them to promote cracked software, creating a self-perpetuating propagation mechanism. There is also evidence highlighting the use of ClickFix-like fake CAPTCHA lures to distribute StealC, suggesting they aren’t confined to infections through YouTube.

Further analysis has determined that the panel enables operators to create multiple users and differentiate between admin users and regular users. In the case of YouTubeTA, the panel has been found to feature only one admin user, who is said to be using an Apple M3 processor-based machine with English and Russian language settings.

In what can be described as an operational security blunder on the threat actor’s part, their location was exposed around mid-July 2025 when the threat actor forgot to connect to the StealC panel through a virtual private network (VPN). This revealed their real IP address, which was associated with a Ukrainian provider called TRK Cable TV. The findings indicate that YouTubeTA is a lone-wolf actor operating from an Eastern European country where Russian is commonly spoken.

The research also underscores the impact of the MaaS ecosystem, which empowers threat actors to mount at scale within a short span of time, while inadvertently also exposing them to security risks legitimate businesses deal with.

“The StealC developers exhibited weaknesses in both their cookie security and panel code quality, allowing us to gather a great deal of data about their customers,” CyberArk said. “If this holds for other threat actors selling malware, researchers and law enforcement alike can leverage similar flaws to gain insights into, and perhaps even reveal the identities of, many malware operators.”

A video filmed after a deadly crash involving high-speed trains in southern Spain, shows emergency workers at the scene and a passenger climbing out of a tilted carriage.

Footage of passengers evacuating carriages has also been captured, with authorities warning that the death toll from the incident could rise.

The incident occurred near the town of Adamuz, after a high-speed train travelling from Málaga to Madrid derailed and crashed onto a neighbouring track, according to the rail network operator. A second train travelling in the opposite direction also derailed.

You can follow the latest updates here.

China’s population fell for the fourth straight year in 2025 as its birth rates sunk to a record low, despite the government rolling out a spate of incentives to boost them.

The country’s population fell 3.39 million to reach 1.4 billion by the end of 2025, marking a quicker decline than the previous year, government data showed on Monday.

Its birth rate fell to 5.63 per 1,000 people – a record low since the Communist Party took power in 1949 – while its death rate rose to 8.04 per 1,000 people, the highest since 1968.

Faced with an ageing population and sluggish economy, Beijing has been trying hard to encourage more young people to marry and have children.

In 2016, it scrapped its longstanding one-child policy and replaced it with a two-child limit. When that did not lead to a sustained upsurge in births, authorities announced that they would allow up to three children per couple in 2021.

More recently, China has offered parents 3,600 yuan (£375; $500) per each of their children under the age of three. Certain provinces are also dishing out their own baby bonuses, including additional payouts and extended maternity leave.

Some of these incentives have stirred controversy. For instance, a new 13% tax on contraceptives – including condoms, birth control pills and devices – has sparked concern about unwanted pregnancies and HIV rates.

China has one of the lowest fertility rates in the world, at around one birth per woman, below the replacement rate of 2.1. Other economies in the region, such as South Korea, Singapore and Taiwan, have similarly low fertility rates.

China is also one of the most expensive countries in which to raise a child, according to a 2024 report by the YuWa Population Research Institute in Beijing.

But some Chinese people have told the BBC they are hindered by other factors – including the desire for a carefree life without constantly worrying about their children.

“I have very few peers who have children, and if they do, they’re obsessed about getting the best nanny or enrolling the kids in the best schools. It sounds exhausting,” a Beijing resident told the BBC in 2021.

Experts at the United Nations believe China’s population will continue on a downward trajectory, estimating that the nation will lose more than half of its current population by 2100.

A shrinking population has economic and social implications for the world’s second-largest economy: exacerbating an already declining workforce and weak consumer sentiment.

With many young people moving away from their parents, there is also a growing number of seniors who are being left to look after themselves or rely on government payments.

But the pension pot is running dry, according to the state-run Chinese Academy of Social Sciences – and the country is running out of time to build enough funds to care for its growing elderly population.