{ "type": "URL", "indicator": "https://arkanix.pw/api/upload/direct", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://arkanix.pw/api/upload/direct", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4156533396, "indicator": "https://arkanix.pw/api/upload/direct", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6999caf19db63c123bcf8b00", "name": "ArkanixStealer", "description": "", "modified": "2026-03-23T15:14:17.057000", "created": "2026-02-21T15:10:41.490000", "tags": [ "ArkanixStealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ReflectiveLoader", "display_name": "ReflectiveLoader", "target": null }, { "id": "ALF:Hacktool:Win64/AmsiDisable!MTB", "display_name": "ALF:Hacktool:Win64/AmsiDisable!MTB", "target": null }, { "id": "ConventionEngine_Anomaly_MultiPDB_Double", "display_name": "ConventionEngine_Anomaly_MultiPDB_Double", "target": null }, { "id": "MacSync_AppleScript_Stealer", "display_name": "MacSync_AppleScript_Stealer", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "md5_constants", "display_name": "md5_constants", "target": null }, { "id": "WinRAR_SFX", "display_name": "WinRAR_SFX", "target": null }, { "id": "stack_string", "display_name": "stack_string", "target": null }, { "id": "ArkanixStealer", "display_name": "ArkanixStealer", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 224, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 427, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e1a0276f18f490ed5d60e", "name": "ipify", "description": "", "modified": "2025-12-31T22:02:44.679000", "created": "2025-12-01T22:43:14.225000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 121, "FileHash-MD5": 35, "FileHash-SHA1": 55, "FileHash-SHA256": 252, "domain": 2, "hostname": 6 }, "indicator_count": 471, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694ee1a9a91c10a7e1c3ebfa", "name": "aaaaaaaaaaaaa", "description": "", "modified": "2025-12-26T19:27:37.548000", "created": "2025-12-26T19:27:37.548000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "155 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6931441c61b70b6333ff86f6", "name": "Arkanix Stealer Jumps from Discord to Browser Sessions and Corporate Logins", "description": "Arkanix Stealer is an evolving cross-platform information stealer known for its rapid development and sophisticated evasion techniques. Initially identified as a simple Python script, it has transitioned to a more advanced C++ variant that operates through Discord and other social platforms, exploiting user trust. The threat actors behind Arkanix are financially motivated cyber criminals who exist within a malware as a service ecosystem.\n\nThe malware utilizes different exploitation techniques, most notably process injection into Chromium-based browsers, allowing it to bypass App Bound Encryption. This capability enables Arkanix to steal a range of sensitive information, including credentials, session cookies, cookies, and wallet data. Arkanix employs a module known as Chrome Elevator that operates post-exploitation, directly requesting sensitive data from inside the browser rather than decrypting files externally.", "modified": "2025-12-04T08:19:40.557000", "created": "2025-12-04T08:19:40.557000", "tags": [ "infosteeler", "phishing", "browser credential theft", "maas", "malware as a service", "malware", "app bound", "encryption", "chrome elevator", "discord", "arkanix", "arkanix stealer", "python", "clickfix", "edge", "chrome", "vmprotect", "score", "powershell", "phantom", "exodus", "steam", "desktop", "stealer", "sentinel", "status analysis", "cobalt strike" ], "references": [ "https://cybersecsentinel.com/arkanix-stealer-jumps-from-discord-to-browser-sessions-and-corporate-logins/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Arkanix", "display_name": "Arkanix", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Entertainment" ], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "URL": 3, "domain": 1, "hostname": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://cybersecsentinel.com/arkanix-stealer-jumps-from-discord-to-browser-sessions-and-corporate-logins/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Md5_constants", "Stack_string", "Winrar_sfx", "Conventionengine_anomaly_multipdb_double", "Arkanix", "Worm:win32/mofksys.rnd!mtb", "Arkanixstealer", "Macsync_applescript_stealer", "Reflectiveloader", "Alf:hacktool:win64/amsidisable!mtb" ], "industries": [ "Entertainment" ], "unique_indicators": 967 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/arkanix.pw", "whois": "http://whois.domaintools.com/arkanix.pw", "domain": "arkanix.pw", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6999caf19db63c123bcf8b00", "name": "ArkanixStealer", "description": "", "modified": "2026-03-23T15:14:17.057000", "created": "2026-02-21T15:10:41.490000", "tags": [ "ArkanixStealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ReflectiveLoader", "display_name": "ReflectiveLoader", "target": null }, { "id": "ALF:Hacktool:Win64/AmsiDisable!MTB", "display_name": "ALF:Hacktool:Win64/AmsiDisable!MTB", "target": null }, { "id": "ConventionEngine_Anomaly_MultiPDB_Double", "display_name": "ConventionEngine_Anomaly_MultiPDB_Double", "target": null }, { "id": "MacSync_AppleScript_Stealer", "display_name": "MacSync_AppleScript_Stealer", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "md5_constants", "display_name": "md5_constants", "target": null }, { "id": "WinRAR_SFX", "display_name": "WinRAR_SFX", "target": null }, { "id": "stack_string", "display_name": "stack_string", "target": null }, { "id": "ArkanixStealer", "display_name": "ArkanixStealer", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 224, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 427, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e1a0276f18f490ed5d60e", "name": "ipify", "description": "", "modified": "2025-12-31T22:02:44.679000", "created": "2025-12-01T22:43:14.225000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 121, "FileHash-MD5": 35, "FileHash-SHA1": 55, "FileHash-SHA256": 252, "domain": 2, "hostname": 6 }, "indicator_count": 471, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694ee1a9a91c10a7e1c3ebfa", "name": "aaaaaaaaaaaaa", "description": "", "modified": "2025-12-26T19:27:37.548000", "created": "2025-12-26T19:27:37.548000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "155 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6931441c61b70b6333ff86f6", "name": "Arkanix Stealer Jumps from Discord to Browser Sessions and Corporate Logins", "description": "Arkanix Stealer is an evolving cross-platform information stealer known for its rapid development and sophisticated evasion techniques. Initially identified as a simple Python script, it has transitioned to a more advanced C++ variant that operates through Discord and other social platforms, exploiting user trust. The threat actors behind Arkanix are financially motivated cyber criminals who exist within a malware as a service ecosystem.\n\nThe malware utilizes different exploitation techniques, most notably process injection into Chromium-based browsers, allowing it to bypass App Bound Encryption. This capability enables Arkanix to steal a range of sensitive information, including credentials, session cookies, cookies, and wallet data. Arkanix employs a module known as Chrome Elevator that operates post-exploitation, directly requesting sensitive data from inside the browser rather than decrypting files externally.", "modified": "2025-12-04T08:19:40.557000", "created": "2025-12-04T08:19:40.557000", "tags": [ "infosteeler", "phishing", "browser credential theft", "maas", "malware as a service", "malware", "app bound", "encryption", "chrome elevator", "discord", "arkanix", "arkanix stealer", "python", "clickfix", "edge", "chrome", "vmprotect", "score", "powershell", "phantom", "exodus", "steam", "desktop", "stealer", "sentinel", "status analysis", "cobalt strike" ], "references": [ "https://cybersecsentinel.com/arkanix-stealer-jumps-from-discord-to-browser-sessions-and-corporate-logins/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Arkanix", "display_name": "Arkanix", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Entertainment" ], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "URL": 3, "domain": 1, "hostname": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "177 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://arkanix.pw/api/upload/direct", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://arkanix.pw/api/upload/direct", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780211083.6966543 }