The Unknown Stealers: What’s Hidden Below the Radar

The stealer ecosystem has matured into a professionalized criminal economy that most organizations are simply not monitoring closely enough.

While the industry fixates on household names like Lumma and RedLine, a growing class of lesser-known, actively deployed stealers, Void, Datura, Misericorde, Saturn, and others, are quietly collecting credentials, session cookies, and crypto wallet data from victims worldwide, feeding logs into underground markets that fuel ransomware, account takeovers, and business email compromise.

Our Threat Hunting team hunts these tools across Telegram channels, Hacker Forums, and Dark Web Markets. This research is detailed in our latest whitepaper: “The Unknown Stealers: From Dark Web to Log Markets.“

The Stealer Ecosystem in 2026

Infostealers have been around since the late 1990s, but what we’re seeing today is fundamentally different in scale and sophistication. The Malware-as-a-Service (MaaS) model has turned stealer development into a commercial operation that mirrors legitimate SaaS businesses, complete with tiered pricing, customer support SLAs, changelogs, and affiliate programs.

Any actor with $50 to $300 per month can access ready-to-use infrastructure: a payload builder, a web panel displaying stolen logs in real time, and C2 servers managed entirely by the developer. No programming knowledge required.

The market has been through several consolidation cycles. When AZORult fell, Raccoon and Vidar filled the gap. When Raccoon suspended operations in 2022, Lumma and RedLine surged. When Lumma faced disruption in 2025, StealC raised prices and a new wave of mid-tier entrants rushed in. By 2026, the ecosystem supports 25+ professional stealers and 20+ mid/low-tier tools operating simultaneously, with new ones entering circulation every month.

Stealer ecosystem timeline 2018 to 2026

Telegram has become the backbone of this economy. Developers use it for announcements, automated subscription management, log delivery to affiliates, and customer support. Underground forums still serve a purpose, establishing credibility, dispute resolution, and historical reputation, but Telegram is where the day-to-day business happens.

Technical Deep Dive: Void Stealer

Our report includes a full technical analysis of Void Stealer, a C++ infostealer that emerged in late 2025 and had already accumulated multiple active affiliate campaigns by the time of our analysis. It is a textbook example of how low-profile, undermonitored stealers can operate at scale before anyone is paying attention.

Void Stealer in SOCRadar Threat Actor/Malware Intelligence

What It Steals

Void targets a broad surface: credentials and session cookies from Chromium-based browsers via direct SQLite database access, crypto wallet extension tokens (MetaMask, Phantom, Coinbase Wallet, and 50+ others), desktop wallet files (Exodus, Atomic, Electrum), Telegram session data, Discord tokens, FTP credentials, and detailed system fingerprinting data including HWID, OS, hardware specs, timezone, and keyboard layout. An optional webcam capture module suggests use in targeted or sextortion-adjacent campaigns.

How It Evades Detection

Void implements several techniques that punch above its tier.

Dynamic syscall resolution – rather than calling standard NT functions that EDRs commonly hook, Void resolves Zw-prefixed syscall equivalents directly from ntdll at runtime. This bypasses userland EDR hooks without triggering monitored code paths.

Dynamic API resolution – imports are loaded at runtime via GetModuleHandleA rather than declared in the import table, making static analysis significantly more difficult.

Mutex-based single-instance enforcement – before executing, Void checks for an existing mutex to avoid double-execution, which also causes it to abort silently in many sandbox environments.

XOR-encrypted configuration – the operator-defined config file is encrypted before embedding, decrypted only at runtime.

No persistence – Void follows a deliberate grab-and-go philosophy. It executes, collects, exfiltrates, and terminates, leaving minimal forensic footprint and a very narrow detection window.

Void Stealer administration panel displaying log statistics and basic operator controls

The C2 Trick: Steam Profile Abuse

One of Void’s more unusual techniques is how it resolves its C2 infrastructure. Rather than hardcoding a C2 domain, which would be trivially blocked once discovered, Void queries a Steam profile created and controlled by the operator. The profile’s display name contains the intermediate C2 URL, which the malware parses and connects to. This lets the operator rotate infrastructure by simply updating a Steam profile, without rebuilding or redeploying the binary.

The intermediate C2 domain itself presents as a convincing fake website, while the actual malware traffic routes through an /api/client endpoint invisible to casual inspection.

Steam profile used as intermediate C2 resolver, showing account creation date and resolved domain

Exfiltration and Delivery

All collected data is serialized to JSON, encoded in Base64, and uploaded to the intermediate C2 in chunked blocks. If the malware detects timing anomalies consistent with debugging, it switches to smaller chunk sizes to ensure partial data delivery even if execution is interrupted. The C2 then routes logs to the operator’s panel and, if configured, delivers real-time Telegram notifications with a summary of each new infection.

Telegram notification showing new log delivery with country, passwords, cookies, and campaign tag

The operator receives a structured log archive containing cookies, browsing history, screenshots, and system profiling data, packaged and ready to sell or exploit.

Active Campaigns

At the time of analysis, SOCRadar researchers identified up to six simultaneous active campaigns running on Void infrastructure. Each campaign used slightly modified binaries, a natural artifact of different affiliates configuring their own builds, but all shared the same underlying C2 relay architecture and Steam-based resolution mechanism. Some Steam accounts used in earlier campaigns had already been deleted, indicating active infrastructure rotation.

What Happens to the Stolen Data

The stolen data does not stop with the initial operator. Once a log enters the underground ecosystem, it becomes raw material for a chain of secondary attacks.

Stealer Logs & Combolists sales in Telegram and Underground Forums

Credentials get fed into credential stuffing tools and tested across hundreds of services. Session cookies enable account takeovers that bypass MFA entirely. Corporate VPN and RDP credentials get filtered and sold to Initial Access Brokers, who resell them to ransomware groups. Browsing history and captured documents provide the context needed to build highly convincing spear-phishing pretexts targeting colleagues, clients, and suppliers who were never the original target.

The cycle is self-sustaining: log sale profits fund new stealer subscriptions, new infections generate new logs, and the data extracted enables the next wave of campaigns. A low-tier operator selling a log for a few dollars on Telegram may be the first link in a chain that ends in a seven-figure ransomware incident.

Why the Unknown Ones Matter Most

The industry naturally concentrates monitoring and detection resources on stealers that have already achieved notoriety. That is exactly the gap that low and mid-tier actors exploit. Their lower public profile translates directly into lower detection rates — security vendors have not written signatures, threat intelligence feeds have not catalogued their infrastructure, and defenders are not hunting for them.

Organizations that do not actively monitor underground markets for emerging malware face an exposure window that can last months before a new stealer achieves any meaningful detection coverage. The lack of attention these actors receive does not reflect their real impact. It reflects their visibility.

Get the Full Picture

This post covers the key highlights. The full whitepaper goes much deeper, including the complete binary-level technical analysis of Void Stealer, the full TTP matrix mapped to MITRE ATT&CK, all Indicators of Compromise, detailed breakdowns of MaaS licensing structures and cryptocurrency payment methods, the complete stealer ecosystem timeline from 2018 to 2026, and our full analysis of the underground log market and the downstream attack chains it enables.

Download The Unknown Stealers: From Dark Web to Log Markets – Full Whitepaper

Understand what is already operating in the blind spots of your threat intelligence program before it shows up in your incident response queue.