In early 2026, Blackfog researchers identified a new threat that changes how organizations should assess credential theft risk. OnyxC2 is an infostealer distributed on a subscription model for approximately $250 per month on cybercrime forums. Its creators do not sell simple malware—they offer a package with an admin panel, technical support, and regular updates, directly mimicking legitimate enterprise software.
The Professionalization of Cybercrime
OnyxC2 enables theft of passwords stored in web browsers, password managers, and configuration files of popular business applications. Attackers can collect session tokens, client certificates, and cloud service credentials. For B2B companies where employees use multiple SaaS tools, a single endpoint infection can open doors to the entire corporate application ecosystem.
The subscription model lowers the barrier to entry for less experienced criminals. Instead of building their own tools from scratch, they buy a ready-made product with documentation and updates. This means the threat is not limited to advanced APT groups—every organization with access to sensitive data becomes a potential target.
How It Works and Infection Vectors
OnyxC2 typically reaches workstations through phishing, infected attachments, or fake software installers. Once executed, it scans the system for stored credentials, cookies, browser history, and cryptocurrency wallet data. Collected information goes to a C2 (Command and Control) panel, where the operator can export it or use it for further attacks.
- Browsers – Chrome, Firefox, Edge, Brave, and other popular engines.
- Password managers – LastPass, Bitwarden, 1Password, and local databases.
- Business applications – FTP clients, VPN, mail clients, and remote access tools.
- System files – documents with passwords, config files, and SSH keys.
Impact on B2B Organizations
For IT directors and CISOs, it is critical to understand that infostealers do not require advanced infrastructure breaches. One employee running a malicious file on a corporate laptop is enough. Stolen data can fuel attacks on Microsoft 365 accounts, Salesforce, ERP systems, or code repositories—depending on the user's role.
Organizations should treat endpoint protection as the first line of defense, not an optional add-on. A comprehensive strategy includes EDR/XDR, network segmentation, least privilege policies, and regular user permission audits. Technology partners offering IT infrastructure services help design architecture that limits the impact of a single device infection.
Practical Recommendations
The first step is inventorying all endpoints with access to production and administrative data. Next, deploy EDR solutions with the ability to isolate infected machines and monitor anomalous behavior. User training on phishing recognition remains essential but cannot replace technical controls.
Consider implementing an enterprise password manager with enforced MFA and strong master password policies. Passwords stored locally in the browser—despite convenience—are an easy target for infostealers. Central identity management (IAM) and Single Sign-On reduce the number of credentials that can leak during an incident.
Monitoring and Response
Effective detection requires correlating signals from multiple sources: endpoint logs, network traffic, cloud service alerts, and SIEM systems. Organizations without a dedicated SOC should consider outsourcing monitoring or deploying MDR solutions. The time between infection and exploitation of stolen data can be hours or days—the faster you detect the incident, the smaller the losses.
Your incident response plan should include immediate password rotation for users whose endpoints were compromised and verification of access logs to critical systems. In case of administrator credential leaks, full forensic analysis and potential notification of supervisory authorities under GDPR may be required.
OnyxC2 is a reminder that cybercriminals adopt business models from legitimate SaaS companies. For B2B organizations, this means continuously raising endpoint security and access policy standards. Investment in professional IT infrastructure with detection and response layers pays off many times over when one user mistake does not lead to full organizational compromise.
Privileged Access Policy
In the OnyxC2 context, accounts with local and domain administrator privileges are especially exposed. Attackers who steal credentials of such a user can escalate privileges across the organization in a short time. Deploying PAM (Privileged Access Management) with just-in-time sessions, admin session recording, and privileged password rotation limits the value of stolen authentication data.
Organizations should also consider blocking unauthorized software installation on endpoints through AppLocker, WDAC, or EDR solutions with application control. An infostealer must be executed to perform a scan—if policy blocks unknown executables, the infection vector is closed before malware starts operating. Red team tests simulating infostealer installation help verify the effectiveness of these controls in practice, not just on paper in the security policy.
Source: Sekurak