OnyxC2: When $250/Month Buys Everything on Your Employees' Devices
A new Malware-as-a-Service platform called OnyxC2 just raised the stakes for every SMB owner with remote workers. For $250 a month a criminal gets a fully operational credential-theft and remote-access toolkit that targets 210+ applications, evades detection across 71 antivirus engines on first run, and can turn a single infected workstation into standing access across an employee's entire working life.
This is not a nation-state tool. It's a subscription service with a refund policy.
What OnyxC2 Does in One Pass
When OnyxC2 infects a device, it harvests everything the browser holds and then some. One operator panel observed by researchers showed a single machine had already surrendered:
-55 saved passwords
-4,717 cookies: including active session cookies that bypass 2FA entirely
-719 autofill entries
-2 payment cards
-1 cryptocurrency wallet
The attack surface is extensive: 37 Chromium browsers, 8 Gecko browsers, 95 browser extensions including 2FA authenticator extensions, 5 password managers, 17 cryptocurrency wallets, VPN clients, email clients, and FTP clients. If it lives on a browser or a desktop, OnyxC2 takes it.
Beyond credential theft, the $500/month Premium tier adds Hidden VNC (HVNC), giving the operator a live, hidden remote desktop inside the infected machine. Keylogging, screenshot capture, memory dumps, file management, and a built-in Tor tunnel for exfiltration are included at both tiers.
How It Avoids Detection
OnyxC2's developers clearly understand enterprise security tooling. They disguise malicious DLLs as NVIDIA graphics libraries, use applications with valid Authenticode signatures to appear legitimate, and keep payloads encrypted until runtime. When researchers first uploaded builds to VirusTotal, zero of 71 antivirus engines flagged them.
The developers are so confident in their evasion that they offer refund guarantees if their builds get detected. This is a criminal business with a customer satisfaction model.
The Infection Vector Is Your Employees' Habits
OnyxC2 ships with ready-made deception installers disguised as:
FinePrint (a common document utility)
Fake Windows updates
Gaming application installers
An employee downloads what looks like a routine update. Everything on their device including every saved password, every active session, every stored card number is gone within minutes. The infostealer log appears in a criminal Telegram channel within 24-72 hours. Attackers purchase it, replay the session cookies, and they're inside your systems authenticated as your employee. No brute force. No phishing alert. No anomaly to catch.
What This Means for Small Businesses
Enterprise security teams have behavioral analytics, privileged access management, and endpoint detection tuned to catch lateral movement. Small businesses have antivirus software that OnyxC2 was explicitly engineered to defeat.
The $250/month entry price means this isn't a targeted attack. It's a volume play. Operators run campaigns against thousands of potential victims at once. Your employees don't need to be singled out. They just need to be online.
The stolen VPN credentials from an infostealer log are the most common entry point for ransomware deployment. The infostealer is the reconnaissance. The ransomware comes weeks later, after the attacker has had time to understand your environment.
The 24–72 Hour Window
There is a window between when a device is infected and when the attacker uses the stolen credentials. Infostealer logs take time to package and sell. Buyers take time to sort and replay sessions. That window, typically 24 to 72 hours, is where protection is possible.
RelayShield monitors criminal Telegram channels and infostealer log markets in near-real-time. When an employee's credentials appear in a log, the alert fires within hours, before session replay begins, before VPN credentials are used, before the ransomware deployment that follows weeks later.
If your employee's device is compromised today, you need to know today, not when the ransomware note appears.
Check your exposure by sending the command: "INFOSTEALER your@email.com" using the RelayShield integrated messaging application on WhatsApp or Telegram.
