Researchers at BlackFog found a commercial grade credential stealer that scrapes 2FA extensions, crypto wallets, and session cookies, and offers refunds if its builds get caught.
The $250 monthly price tag on OnyxC2 is not the story. The refund guarantee is.
That commercial promise, offered to criminal customers whose builds get detected, is a tell. It signals that the malware-as-a-service economy has matured to the point where confidence in stealth and evasion is itself a marketed feature. Researchers at BlackFog obtained and analyzed two samples of the stealer, according to SecurityWeek's reporting, and characterized OnyxC2 as software "sold and supported like a commercial product." The framing matters: a capable stealer has been put in the hands of buyers who could not write one.
The pricing structure does the rest of the talking. A "normal" tier costs $250 a month. A "premium" tier that bundles HVNC, hidden virtual network computing, runs $500. A "private" tier that ships the source code and an installation guide, with the vendor offering to install it, lists at $6,000, with no specified monthly fee, suggesting outright purchase rather than rental. The tiers are organized the way legitimate SaaS products are: pay more, get more capability and persistence.
That persistence is what breaks the standard breach playbook. OnyxC2 reaches roughly 210 apps and extensions across nine categories, per SecurityWeek's breakdown of BlackFog's findings. The list includes two-factor authentication extensions, password managers, seventeen crypto wallets, eleven FTP clients, and five email clients. Two-factor tokens scraped from an extension, and session cookies that keep a user logged in, survive a password reset. The defensive move that has anchored consumer and SMB response to credential theft for years, "change the password, you're fine," does not contain this breach.
Consider what one infected host had already given up before anyone noticed: 55 saved passwords, 4,717 cookies, 719 autofill entries, two payment cards, and a crypto wallet. Those numbers, drawn from a single victim machine in BlackFog's analysis as reported by SecurityWeek, capture the actual scale of a single OnyxC2 run.
The package also extends the operator's reach beyond a one-shot grab. The premium tier's HVNC gives a remote attacker a hidden desktop inside the victim's browser, useful for moving through logged-in sessions the victim never sees. LSASS dumping pulls authentication material directly from Windows memory, opening paths to other systems on the same network. Both features appear in the SecurityWeek summary of BlackFog's technical analysis.
Then there is the distribution layer. OnyxC2 ships with ready-made lures: a fake FinePrint application, a bogus SystemSettings panel, a counterfeit Windows update prompt, and a trojanized Fling-Standalone installer. These are not novel. They are notable because they are bundled and supported, lowering the skill floor for an operator who would otherwise have to design and host the lures themselves.
The commercial discipline is the actual product. A refund-if-detected promise tells buyers the vendor has tested detection rates and believes they are low. A tier ladder that mirrors legitimate SaaS tells buyers the upgrade path is planned. Ready-made lures, support, and persistence features tell buyers the operator does not need to be technical. The price is at the higher end of the stealer market, and the structure explains why: it is being sold as an enterprise product, just to enterprise customers who happen to be criminals.
For defenders, the takeaway is uncomfortable. A password reset is no longer a remediation. It is a single task on a longer list that now includes invalidating active sessions, revoking two-factor tokens, rotating wallet seeds, and treating any host compromise as a network-level event rather than a single-account one. For individuals, the same list applies, compressed. The attackers have moved to a subscription model with support contracts. The defensive response cannot keep treating credential theft as a one-time cost.
What to watch next: independent corroboration of OnyxC2's capabilities outside BlackFog's samples. A second analyst write-up, or public sample hashes on services like MalwareBazaar or VirusTotal, would harden the technical claims and clarify whether the refund guarantee and tier structure described in SecurityWeek's piece hold across additional builds.