OnyxC2 Malware-as-a-Service Targets Enterprises with Data Theft Capabilities
Severity: High (Score: 64.5)
Sources: Securityaffairs.Co
Published: · Updated:
Keywords: onyxc2, malware-as-a-service, offers, enterprise, maas, stealer, targeting
Severity indicators: malware, stealer
Summary
OnyxC2 is a new Malware-as-a-Service (MaaS) stealer that targets over 210 applications, utilizing advanced techniques such as DLL sideloading and encrypted payloads to avoid detection. This malware was first introduced on a cybercrime forum earlier in 2026 and is available for subscription at various price points: $250 monthly for standard access, $500 for a premium version featuring HVNC, and $6,000 for an enterprise-grade package. The malware's remote access capabilities allow attackers to exfiltrate sensitive data from compromised systems. Organizations using the targeted applications are at risk of significant data breaches. The current status indicates that the malware is actively being marketed and sold to cybercriminals. Security professionals are urged to be vigilant and implement protective measures against this emerging threat. Key Points: • OnyxC2 targets over 210 applications using sophisticated evasion techniques. • The malware is sold as a subscription service, with prices ranging from $250 to $6,000. • Organizations using affected applications are at risk of significant data theft.
Detailed Analysis
**Impact** OnyxC2 targets enterprises by stealing data from over 210 applications, potentially compromising sensitive business and operational information. The malware-as-a-service model enables widespread use, increasing the risk of data breaches across multiple sectors globally. Subscription pricing tiers suggest varying capabilities, including remote access, which could lead to extended unauthorized access and data exfiltration. **Technical Details** OnyxC2 employs DLL sideloading and encrypted payloads to evade detection, with remote access features such as hidden VNC (HVNC) included in premium versions. It surfaced on a cybercrime forum earlier this year and is distributed via subscription services priced from $250 to $6,000 monthly. No specific CVEs or infrastructure details were provided in the articles. **Recommended Response** Defenders should prioritize detection of DLL sideloading techniques and monitor for encrypted payload execution within enterprise environments. Implement network monitoring for unusual remote access activities, particularly HVNC connections. Blocking known OnyxC2 indicators and restricting execution of unauthorized DLLs are advised. Additional threat intelligence updates should be monitored for emerging IOCs and infrastructure details.
Source articles (2)
- OnyxC2 Malware-as-a-Service Offers Enterprise — Securityaffairs.Co · 2026-06-11
OnyxC2 is a MaaS stealer targeting 210+ apps, using DLL sideloading, encrypted payloads, and remote access features to evade detection. OnyxC2 appeared on a cybercrime forum earlier this year and is s… - OnyxC2 Malware-as-a-Service Offers Enterprise — Securityaffairs.Co · 2026-06-11
OnyxC2 is a MaaS stealer targeting 210+ apps, using DLL sideloading, encrypted payloads, and remote access features to evade detection. OnyxC2 appeared on a cybercrime forum earlier this year and is s…
Timeline
- 2026-01-01 — OnyxC2 introduced on cybercrime forum: The OnyxC2 malware-as-a-service was first advertised on a cybercrime forum, attracting interest from cybercriminals.
- 2026-06-11 — OnyxC2 launched for enterprise use: The malware is now available for subscription, with various pricing tiers for different features.
Related entities
- Malware (Attack Type)
- OnyxC2 (Malware)
- HVNC (Malware)
- T1574 - Hijack Execution Flow (Mitre Attack)