Cybersecurity experts are sounding alarms about a recent campaign utilizing cracked software versions to spread information-stealing malware, including notable variants such as Lumma and ACR Stealer. The AhnLab Security Intelligence Center (ASEC) has reported a significant increase in ACR Stealer distributions since January 2025.
This malware employs a technique known as the dead drop resolver to ascertain the true command-and-control (C2) server. Interestingly, it makes use of legitimate platforms including Steam, Telegram’s Telegraph, Google Forms, and Google Slides to obscure its malicious operations.
ASEC detailed how adversaries encode the actual C2 domain in Base64 on a specific webpage. “The malware retrieves this page, decodes the string, and extracts the true C2 domain address to enable its harmful activities,” the agency noted categorically.
Previously associated with Hijack Loader malware, ACR Stealer is adept at exfiltrating a wide array of information from infected devices, including files, web browser data, and cryptocurrency wallet extensions. Meanwhile, ASEC has also unveiled another malicious campaign utilizing “MSC” files that execute via the Microsoft Management Console (MMC) to deploy the Rhadamanthys stealer.
The report specifies that the MSC files disguise themselves as MS Word documents. Once the ‘Open’ button is activated, these files download and run a PowerShell script from an external source, which eventually leads to the deployment of an EXE file associated with Rhadamanthys.
The vulnerability exploited here, CVE-2024-43572—commonly referred to as GrimResource—was first reported by Elastic Security Labs in June 2024. Malicious actors capitalized on this zero-day vulnerability before Microsoft issued a patch in October 2024.
In parallel, other malware campaigns have been documented that exploit chat support systems, notably Zendesk, where perpetrators pose as customers to trick support agents into downloading a stealer called Zhong Stealer. A report by Hudson Rock highlights that over 30 million computers have suffered infections from information stealers in recent years, leading to the compromised corporate credentials and session cookies that are often sold on underground marketplaces.
Cybercriminals can leverage access granted by these compromised credentials to initiate follow-up attacks, posing severe risks to businesses. Hudson Rock emphasizes that for a mere $10 per stolen log, sensitive data from employees in defense and military sectors can be acquired, underscoring the critical need for awareness about compromised credentials and the risks presented by third-party partnerships.
In recent months, threat actors have significantly escalated their efforts to disseminate various malware families, including stealers and remote access trojans (RATs), through a method known as ClickFix. This often involves redirecting users to fraudulent CAPTCHA verification pages, where unsuspecting individuals are instructed to execute malicious PowerShell commands.
One emerging payload documented is I2PRAT, which operates using the I2P anonymization network to mask its final C2 server. This advanced malware comprises multiple layers, each with sophisticated capabilities, complicating efforts to track its spread. Sekoia emphasizes that the use of an anonymization network significantly obfuscates detection efforts, thereby increasing the challenge of assessing its scale and impact in the cybersecurity landscape.
