Void Stealer: The Infostealer Malware Quietly Targeting Organizations in 2026

Void Stealer is an infostealer malware that emerged in late 2025 and has been running active campaigns against users and organizations ever since. Distributed under a Malware-as-a-Service (MaaS) model through Telegram channels and underground forums, it allows any operator to deploy credential-stealing campaigns for a monthly subscription fee, with no technical background required.

While Void Stealer is not the most advanced infostealer malware available today, it combines evasion techniques that are uncommon at its price point with a growing network of active affiliates and a deliberately low public profile. That combination has allowed it to collect victim data for months with very limited detection coverage across the threat intelligence community.

For security leaders and IT decision makers, understanding how Void Stealer operates is an important step toward assessing whether existing defenses are equipped to detect this category of threat.

What Data Does Void Stealer Steal?

Like most modern infostealer malware, Void Stealer is built around a grab-and-go execution model. It runs on the victim’s machine, collects as much useful data as possible, sends it to the operator, and terminates without leaving persistent traces.

The data it targets spans several categories that are directly relevant to organizational security:

Browser credentials and session cookies: Void extracts saved usernames, passwords, browsing history, and active session cookies from Chromium-based browsers including Chrome, Edge, Brave, and Opera. Session cookies are particularly high-value because they allow an attacker to access authenticated accounts without requiring a password or bypassing multi-factor authentication.

Cryptocurrency wallets: Desktop wallet applications including Exodus, Atomic Wallet, and Electrum are scanned for seed phrases and configuration files. Browser-based wallet extensions including MetaMask, Phantom, and Coinbase Wallet are also targeted.

System fingerprinting data: Hardware identifiers, operating system version, installed software, timezone, keyboard language, and screen resolution are all collected, giving operators a detailed profile of each victim’s environment for further targeting.

Messaging application sessions: Telegram session files and Discord authentication tokens are extracted, potentially giving operators access to private communications.

FTP and application credentials: Credentials stored by third-party applications and FTP clients are collected from known file system paths.

An operator-configurable webcam capture feature is also available, which is uncommon in infostealer malware at this tier and suggests certain campaigns are being directed at specific individuals rather than run as mass infection operations.

How Does Void Stealer Evade Antivirus and EDR Detection?

One of the most important aspects of Void Stealer from a security perspective is the evasion capability it demonstrates for a mid-tier infostealer malware. Understanding these techniques helps explain why standard endpoint defenses may not flag it on first encounter.

Syscall-level EDR bypass: Modern endpoint detection and response tools monitor operating system calls to identify suspicious behavior. Void Stealer bypasses this monitoring layer by resolving alternative versions of those calls directly from the Windows ntdll library at runtime, rather than using the standard functions that security tools are watching. This technique is more commonly associated with advanced persistent threat tooling than with subscription-based infostealer malware.

Runtime API resolution: Rather than declaring the system functions it needs in the file’s import table, where they would be visible to static scanning tools, Void loads those functions dynamically during execution. This significantly reduces the effectiveness of signature-based antivirus detection.

Sandbox evasion via mutex checking: Before executing, Void checks for a specific marker it creates on the system. If that marker already exists, the malware exits immediately. This behavior causes it to terminate silently in many automated sandbox environments that security vendors use to analyze and classify new threats, which delays the creation of detection signatures.

Encrypted configuration: The operator configuration file is encrypted with XOR before being embedded in the binary and is only decrypted at runtime, reducing the information available to static analysis tools.

The combined effect is an infostealer malware that a significant portion of deployed security tooling will not identify during initial exposure.

How Void Stealer Uses Steam Profiles as C2 Infrastructure

One of Void Stealer’s more operationally notable design choices is how it locates its command and control server, the infrastructure it uses to send stolen data back to the operator.

Rather than hardcoding a server address into the malware binary, which would allow security teams to block it as soon as it was discovered, Void queries a Steam gaming platform profile controlled by the operator. The server address is embedded in that profile’s display name. The malware reads the profile, extracts the address, and connects.

This approach means operators can rotate their infrastructure at any time simply by updating a Steam profile. Blocking a known malicious domain does not disrupt the campaign. The malware reads the updated profile on its next execution and routes traffic to the new server instead.

The intermediate server is presented as a legitimate-looking website to avoid blocking. In campaigns observed by SOCRadar Threat Researchers, it was disguised as a Russian university application portal. Malware traffic was routed through a hidden API endpoint on the same domain, invisible to anyone who visited the visible site directly.

How Stolen Data Reaches the Operator

Once Void Stealer completes data collection, it packages everything into a structured JSON format and uploads it to the intermediate server in segmented chunks. If the malware detects timing anomalies that suggest it is being analyzed or interrupted, it reduces chunk sizes further to maximize the volume of data that reaches the operator before execution ends.

Operators receive stolen data through two simultaneous channels. The administration panel organizes all incoming logs by campaign, country, and data type, with search and filter functionality. A Telegram notification is also sent in real time for each new infection, summarizing what was captured.

This dual-delivery design means operators can access victim data even if the panel itself becomes temporarily unavailable, adding resilience to the overall operation.

Active Void Stealer Campaigns in 2026

SOCRadar researchers identified up to six simultaneous active campaigns running on Void Stealer infrastructure at the time of this analysis. Each campaign is operated by a separate affiliate who has purchased access to the tool, configured their own payload through the builder panel, and is distributing it independently.

Observed campaign delivery methods included fake company portals and fraudulent software download pages designed to appear legitimate to visitors. Each affiliate produces a slightly different binary through their individual configuration choices, but all binaries connect to the same underlying C2 infrastructure and behave identically once executed.

Infrastructure rotation is actively occurring. Several Steam accounts used as C2 resolution points in earlier campaigns had already been deleted and replaced by the time researchers analyzed them, indicating that operators are maintaining operational security measures to complicate tracking efforts.

Void Stealer Indicators of Compromise

Security teams should be aware of the following confirmed indicators associated with active Void Stealer campaigns. The complete indicator list and full MITRE ATT&CK TTP mapping are available in the linked whitepaper.

Confirmed malicious domain: citrusshop.icu has been identified as an active intermediate C2 domain.

Steam infrastructure: SteamID 76561199877608270 was used as a C2 resolution point in confirmed campaigns.

Behavioral indicators to monitor: Browser processes spawning with command-line flags including –no-sandbox, –disable-extensions, and –window-position=-32000,-32000 are a strong indicator of session harvesting activity. Unexpected outbound connections to steamcommunity.com from non-gaming endpoints warrant investigation. Outbound JSON uploads to newly registered or low-reputation domains should also be flagged for review.

For the complete set of MD5 file hashes, the full MITRE ATT&CK technique mapping, and all associated infrastructure indicators, see the full whitepaper.

The Organizational Risk: Why Void Stealer Matters Beyond the Endpoint

Void Stealer is an opportunistic, volume-driven infostealer malware. Its campaigns are broad rather than precisely targeted, and its goal is to generate as many logs as possible for sale on underground marketplaces. However, the downstream consequences of those logs reach well beyond the individual machine they were collected from.

A single stolen session cookie can provide an attacker with authenticated access to corporate SaaS platforms, cloud environments, or internal dashboards without triggering login alerts. Stolen VPN credentials are regularly purchased by Initial Access Brokers and resold to ransomware groups as ready-made network entry points. What begins as a generic infostealer infection becomes a potential precursor to a much more serious intrusion when the collected data lands in the right hands on the underground market.

The detection window is a critical factor here. Because Void Stealer receives limited coverage in public threat intelligence feeds, organizations that rely on reactive, signature-based detection may not identify activity until data has already been exfiltrated, sold, and acted upon by secondary threat actors.

Behavioral monitoring at the endpoint level, combined with proactive underground market intelligence, provides the most effective coverage against this category of threat.

Read the Full Void Stealer Analysis

This post covers the key operational and strategic details of Void Stealer. The complete technical analysis, including the full binary-level breakdown, all confirmed indicators of compromise, the MITRE ATT&CK TTP table, and the broader infostealer ecosystem context, is published in the SOCRadar whitepaper: The Unknown Stealers: From Dark Web to Log Markets.

[Download the full whitepaper here.]