On February 7, 2026, across at least five different dark web forums, we counted no fewer than six distinct infostealer variants being actively marketed, updated, or given away for free. One developer posted a polished changelog detailing how their malware now dynamically defeats Chrome 144’s latest encryption. Another boasted about full undetectability against every major endpoint detection tool on the market. A third was running a crypto giveaway to promote a cross-platform stealer that targets both macOS and Windows. And on lower-tier forums, users were bumping threads for free, open-source stealers that anyone with a Python interpreter could deploy in minutes.
This isn’t a collection of isolated incidents. It’s a single day’s snapshot of an ecosystem that has industrialized. Stealer developers now operate like competing SaaS startups, complete with tiered pricing, Telegram storefronts, and version-numbered changelogs. Downstream, dedicated log parsers form a secondary tooling market, and massive credential marketplaces sit ready to monetize every stolen cookie and session token. According to Flare’s own research, analysis of 18.7 million infostealer logs in 2025 found that more than one in ten infections contained enterprise SSO or identity provider credentials. Verizon’s Data Breach Investigations Report found that 54% of ransomware victims had their domains appear in infostealer credential dumps. The stealers being advertised on a single February afternoon are the upstream source feeding all of it.
How Stealer Developers Are Racing to Crack Chrome 144’s New Defenses
Google has spent the past two years trying to make it harder for malware to steal credentials from Chrome. The introduction of application-bound encryption with Chrome v127 was supposed to be a turning point. For a brief window, several stealer families actually paused distribution. That window closed fast. By mid-2025, multiple stealer families including Stealc, Vidar, and LummaC2 had already implemented bypasses. Chrome 144, released on January 13, 2026, brought another round of security fixes, including patches for ten vulnerabilities in the V8 engine. The stealer developers treated it not as an obstacle but as a marketing opportunity.
AURA Stealer’s Dynamic Decryption for Chrome 144
On Niflheim, a user named AuraCorp posted a detailed v1.6.0 changelog for their AURA Stealer product that reads like a legitimate software release:
“Improved decryption of the latest versions of Chromium-based browsers (144+). The latest updates are perfectly decrypted by AURA. Now different versions of Chrome (before 143 / after 144) are decrypted with different elevators, and the method is selected dynamically for compatibility with different versions.”
The post went on to note additional language and geo checks layered on top of existing CIS (Commonwealth of Independent States) exclusions, a common feature that prevents the malware from running on machines in Russia and allied countries. AuraCorp also mentioned fixing “a bug with compile-time hashing of winapi names, which caused some strings to remain in the binary,” a detail that speaks to active efforts to evade static analysis by security researchers. The price: $295 to $585, sold via Telegram (View on Flare).
The specificity here matters. AuraCorp isn’t just claiming Chrome compatibility. They’re describing a dynamic method selection system that detects which version of Chrome is installed on the victim’s machine and applies the appropriate decryption technique. This is version-aware malware engineering, and it mirrors how legitimate software handles backward compatibility.
Security researchers have previously called AURA Stealer a “low-quality LummaC2 parody” with limited evasive capabilities. But the Chrome 144 update shows the developer is actively iterating. And with Lumma Stealer’s operations recently disrupted by a global law enforcement operation that seized 2,300 domains, there’s market share up for grabs. AURA’s developer seems to know it.
The FUD Arms Race: Evading EDRs and Windows Defender
While AuraCorp competes on browser decryption, other developers are competing on a different axis entirely: invisibility. On BreachForums, a user named heistwtf posted an update for their stealer called Datura, which operates through a web-based dashboard branded “Candyland.” The update was brief but pointed: “Candyland still remains fully undetected to all major EDR’s (and most importantly completely to Windows Defender)” (View on Flare).
Datura, formerly known as Blitzed Grabber, is described as a C++/ASM-based stealer with over 30 features including browser credential theft and crypto wallet harvesting. Its pricing starts as low as $10 per week and goes up to $145 for a lifetime license. The emphasis on EDR evasion aligns with a broader market trend where EDR bypass tools are now sold as subscription services starting at $300 to $350 per month. For heistwtf, the selling proposition isn’t the breadth of data Datura can steal. It’s the promise that no security product will catch it doing so.
Free and Open-Source Stealers Are Lowering the Barrier to Entry
The commercial stealer market is only half the story. Below the $295-and-up tier occupied by AURA and its competitors, a parallel economy of free stealers is thriving on lower-tier forums. These tools aren’t as polished, but they don’t need to be. Their feature sets have converged to the point where a free stealer can do almost everything a paid one can.
Phemedrone Stealer: 80KB, Zero Dependencies, Full Credential Theft
On Cracked, a user named danle bumped a thread for Phemedrone Stealer, an open-source tool written in C# and distributed with full source code under the familiar “educational purposes” disclaimer. The original post, attributed to a user called lawsuit, laid out the technical details:
“Stealer gathers all data in memory. No external libraries are used. Stub size is ~80 kB. Works on both x32 and x64 systems.”
The feature list covers Chromium and Gecko-based browser data (cookies, passwords, autofills, credit cards), Telegram and Discord sessions, Steam sessions, cryptocurrency wallet extensions, and detailed system reconnaissance including a screenshot. The stealer sends all collected data to an HTTP host, and the operator can configure anti-CIS, anti-VM, and anti-debugger protections (View on Flare).
An 80-kilobyte binary with no external dependencies that steals credentials from every major browser and crypto wallet. Free. Open source. That’s the floor of the market now.
CSTEALER and Legion Stealer: Discord Webhooks as Free C2 Infrastructure
The same user, danle, also bumped a thread for CSTEALER on the same day, a Python-based tool with a point-and-click builder. CSTEALER’s feature list is nearly identical to Phemedrone’s: “Discord Information, Nitro, Badges, Billing, Email, Phone, HQ Friends, HQ Guilds, Gift Codes, Browser Data, Cookies, Passwords, Histories, Autofills, Bookmarks, Credit/Debit Cards from Chrome, Edge, Brave, Opera GX, and many more… Crypto Data Extensions (MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Binance Wallet and +40 wallets supported)” (View on Flare).
On Altenen, a user named Dankeshon promoted Legion Stealer V1, another C# stealer that exfiltrates data via Discord webhooks. Its feature list includes the ability to “Disable AV completely, Disable Taskmgr.exe” and perform anti-VM checks (View on Flare).
The Discord webhook pattern is worth pausing on. Discord has become both a target and a tool. These stealers harvest Discord tokens, Nitro status, and billing information from victims, while simultaneously using Discord’s own webhook infrastructure as free command-and-control channels to exfiltrate stolen data. The operator doesn’t need to set up a server. They just create a Discord webhook URL, paste it into the builder, and every stolen credential lands in their private channel.
The convergence across all three free stealers is striking. Every one of them targets Chromium browser data, 40+ crypto wallet extensions, Discord tokens, Telegram sessions, and system information. The feature gap between a $0 stealer and a $585 one has narrowed to the point where the paid product’s advantage lies primarily in evasion quality and customer support.
From Stolen Cookies to Corporate Breaches: The Stealer Log Marketplace Supply Chain
Stolen credentials don’t sit idle. They flow into a sophisticated downstream economy where they’re sorted, validated, priced, and sold. On a carder marketplace, a user named AntiCarder posted a guide to the top carding marketplaces of 2026 that reads like a consumer review site for cybercriminals. The post explicitly names Russian Market as “a major hub for credential theft and stealer-log distribution” whose “listings typically include browser passwords, cookies, and session tokens. This data enables account takeover attacks across email, social media, and corporate tools.” It also highlights Exodus Marketplace, launched in 2024, as focusing on “malware logs, corporate credentials, and initial access” (View on Flare).
The numbers behind these marketplaces are staggering. Stolen logs on Russian Market experienced a 670% increase over roughly two years, surging from two million in June 2022 to over five million in late February 2023. A ReliaQuest analysis found that 61% of stolen logs on Russian Market contained SaaS credentials from platforms like Google Workspace, Zoom, and Salesforce, and 77% included SSO credentials.
Log Parsers and Cookie Checkers: The Tooling Layer That Turns Raw Data into Profit
Between the stealers and the marketplaces sits a tooling layer that most people never think about. On DemonForums, a user named cherni92 bumped a thread for SunsetAIO, described as a “Stealer Log Parser, Cookie Checkers, Searchers, Discord token check” (View on Flare). Tools like SunsetAIO exist to process raw stealer log dumps into actionable, monetizable data. They validate whether stolen cookies are still active, check whether Discord tokens are still valid, and sort credentials by service and value.
This is the supply chain in action. Developers build stealers. Operators deploy them. Parsers process the output. Marketplaces sell the refined product. Each layer is specialized, and each layer has its own competitive market.
Stealer Developers Are Adopting SaaS Marketing Tactics and Targeting macOS
On Patched.to, a user named wagm1 posted a $50 crypto giveaway sponsored by the “WAGMI TEAM,” promoting their “MAC/WIN FUD Stealer” with the tagline “NO LIMIT TO PROFIT.” Entrants were asked to tag two friends and leave a like for “more luck,” engagement farming tactics borrowed directly from NFT and crypto community marketing (View on Flare).
The giveaway itself is unremarkable. What it signals is not. The explicit mention of macOS support alongside Windows reflects a real shift. Since late 2025, Microsoft Defender Experts has observed macOS-targeted infostealer campaigns using ClickFix-style prompts and malicious DMG installers to deploy macOS-specific stealers like AMOS and DigitStealer. Underground market chatter about macOS stealers peaked in 2025. The “Macs don’t get malware” assumption, always dubious, is now actively dangerous.
What This Means for Defenders
The posts collected on a single day in February 2026 tell a clear story. Session token and cookie theft has become the primary objective of stealer malware, not just passwords. When attackers steal active session cookies, MFA becomes irrelevant because the authentication has already happened. Defenders need to think beyond credential rotation and implement session monitoring, conditional access policies that detect anomalous session reuse, and browser isolation for sensitive workflows.
The free stealer problem means the threat actor population is growing. When a functional credential stealer costs nothing and requires only basic technical skills to deploy, the volume of infections will continue to climb. Organizations should assume that employee credentials are already circulating in stealer logs and build detection around that assumption.
Monitoring the stealer log supply chain, from the forums where stealers are sold to the marketplaces where logs are traded, provides early warning that traditional security tools cannot. If your organization’s credentials appear in a fresh log dump on Russian Market, you have hours to respond before an attacker uses them, not days.
The forum posts referenced in this article were collected and analyzed using Flare’s threat exposure management platform. To see how Flare monitors dark web forums for threats relevant to your organization, sign up for a free trial.
