A brand new information-stealing malware, ACRStealer, is leveraging official platforms like Google Docs and Steam to hold out its assaults, based on analysis from the AhnLab Safety Intelligence Middle (ASEC). This malware, which initially appeared in mid-2024 as a beta model, has seen a big improve in distribution since 2025, with February’s quantity mirroring January’s and indicating a possible surge.
It’s value noting that, based on Hudson Rock’s report, infostealers have change into the most important risk to crucial infrastructure. The report reveals that computer systems belonging to the US Military, Navy, and even the FBI have been compromised, with stolen knowledge out there on the darkish internet for as little as $10.
Within the ongoing marketing campaign, ASEC’s monitoring confirms that ACRStealer is unfold by way of software program cracks and key mills, generally used for software program piracy, and the malware is ceaselessly disguised as these unlawful applications.
Whereas Lumma Stealer and Vidar have been dominant infostealers distributed this fashion, researchers noticed that ACRStealer’s presence is rising quickly. Based on their report, the distribution development of ACRStealer from June 2024 to February 2025 signifies a dramatic rise in 2025.
ACRStealer boasts a variety of malicious capabilities. It may well detect put in antivirus options, steal cryptocurrency wallets and login credentials, extract browser knowledge, harvest FTP credentials, and skim all textual content recordsdata. This stolen data permits cybercriminals to focus on monetary belongings and private accounts. Stolen credentials grant entry to e mail, social media, and banking providers. This knowledge may also be used for id theft or bought on darkish internet markets.
A key characteristic is ACRStealer’s C2 server communication. As a substitute of embedding the server’s IP, it makes use of a Useless Drop Resolver (DDR). This methodology includes the malware contacting a official service, corresponding to Google Docs or Steam, to retrieve the C2 server’s area. ASEC has recognized a number of platforms used as middleman C2s, together with Steam, telegra.ph, and varied types of Google Docs (Kinds and Shows).
This strategy permits attackers to simply change the C2 area whether it is compromised with no need to replace the malware itself. They merely modify the data inside the middleman C2.
The precise C2 area, retrieved from the middleman C2, is mixed with a hardcoded UUID (Universally Distinctive Identifier) to create the URL for downloading encrypted configuration knowledge. This knowledge comprises essential data like goal applications, further malware URLs, file extensions, and goal extension IDs.
The configuration file specifies a variety of information to be stolen, together with browser knowledge, textual content recordsdata, cryptocurrency wallets, FTP data, chat program data, e mail consumer data, distant program data, terminal program data, VPN data, password supervisor data, database (DB) data, and browser extension plugin data.
Additionally, it targets quite a few applications, from browsers like Chrome and Firefox to cryptocurrency wallets like Binance and Electrum, chat applications like Telegram and Sign, and varied browser plugins. Collected recordsdata are sometimes compressed earlier than transmission.
AhnLab’s analysis highlights ACRStealer’s adaptable strategy, continuously altering platforms and the places of C2 data inside them. It operates as Malware-as-a-Service (MaaS), making an infection monitoring tough.
Nevertheless, preventative measures will be taken. This includes avoiding web sites distributing cracks and key mills, and downloading software program solely from official sources. Moreover, be cautious with hyperlinks and attachments in unsolicited communications, allow multi-factor authentication (MFA) for added safety, and preserve an lively anti-malware answer.
