Cybersecurity researchers are warning of a brand new marketing campaign that leverages cracked variations of software program as a lure to distribute info stealers like Lumma and ACR Stealer.
The AhnLab Safety Intelligence Heart (ASEC) mentioned it has noticed a spike within the distribution quantity of ACR Stealer since January 2025.
A notable facet of the stealer malware is using a method referred to as useless drop resolver to extract the precise command-and-control (C2) server. This contains counting on respectable companies like Steam, Telegram’s Telegraph, Google Kinds, and Google Slides.
“Menace actors enter the precise C2 area in Base64 encoding on a particular web page,” ASEC mentioned. “The malware accesses this web page, parses the string, and obtains the precise C2 area handle to carry out malicious behaviors.”
ACR Stealer, beforehand distributed by way of Hijack Loader malware, is able to harvesting a variety of knowledge from compromised methods, together with recordsdata, internet browser knowledge, and cryptocurrency pockets extensions.
The event comes as ASEC revealed one other marketing campaign that makes use of recordsdata with the extension “MSC,” which could be executed by the Microsoft Administration Console (MMC), to ship the Rhadamanthys stealer malware.
“There are two sorts of MSC malware: one exploits the vulnerability of apds.dll (CVE-2024-43572), and the opposite executes the ‘command’ command utilizing Console Taskpad,” the South Korean firm mentioned.
“The MSC file is disguised as an MS Phrase doc. “When the ‘Open’ button is clicked, it downloads and executes a PowerShell script from an exterior supply. The downloaded PowerShell script accommodates an EXE file (Rhadamanthys).”
CVE-2024-43572, additionally referred to as GrimResource, was first documented by the Elastic Safety Labs in June 2024 as having been exploited by malicious actors as a zero-day. It was patched by Microsoft in October 2024.
Malware campaigns have additionally been noticed exploiting chat help platforms like Zendesk, masquerading as prospects to trick unsuspecting help brokers into downloading a stealer referred to as Zhong Stealer.
In response to a current report printed by Hudson Rock, over 30,000,000 computer systems have been contaminated by info stealers within the “previous few years,” resulting in the theft of company credentials and session cookies that would then be bought by cybercriminals on underground boards to different actors for revenue.
The patrons might weaponize the entry afforded by these credentials to stage post-exploitation actions of their very own, resulting in extreme dangers. These developments serve to spotlight the position performed by stealer malware as an preliminary entry vector that gives a foothold to delicate company environments.
“For as little as $10 per log (pc), cybercriminals should buy stolen knowledge from staff working in categorised protection and army sectors,” Hudson Rock mentioned. “Infostealer intelligence is not nearly detecting who’s contaminated — it is about understanding the total community of compromised credentials and third-party dangers.”
Over the previous yr, menace actors have additionally been ramping up efforts to unfold quite a lot of malware households, together with stealers and distant entry trojans (RATs), by a method referred to as ClickFix that usually entails redirecting customers to faux CAPTCHA verification pages instructing them to repeat and execute nefarious PowerShell instructions.
One such payload dropped is I2PRAT, which employs the I2P anonymization community to anonymize its ultimate C2 server.
“The malware is a complicated menace composed of a number of layers, every incorporating subtle mechanisms,” Sekoia mentioned. “The usage of an anonymization community complicates monitoring and hinders the identification of the menace’s magnitude and unfold within the wild.”
