Cybersecurity experts have identified a new campaign that utilizes pirated software as bait to distribute information-stealing malware like Lumma and ACR Stealer.
According to the AhnLab Security Intelligence Center (ASEC), there has been a significant surge in the distribution of ACR Stealer since January 2025.
A notable feature of the ACR Stealer malware is its use of a technique known as dead drop resolver to extract the actual command-and-control (C2) server, which involves leveraging legitimate services such as Steam, Telegram’s Telegraph, Google Forms, and Google Slides.
“Threat actors encode the actual C2 domain in Base64 on a specific page,” ASEC explained. “The malware accesses this page, decodes the string, and obtains the actual C2 domain address to carry out malicious activities.”
ACR Stealer, previously distributed via Hijack Loader malware, is capable of harvesting a wide range of information from compromised systems, including files, web browser data, and cryptocurrency wallet extensions.
ASEC has also uncovered another campaign that utilizes files with the “MSC” extension, which can be executed by the Microsoft Management Console (MMC), to deliver the Rhadamanthys stealer malware.
“There are two types of MSC malware: one exploits the vulnerability of apds.dll (CVE-2024-43572), and the other executes the ‘command’ command using Console Taskpad,” the South Korean company explained.
“The MSC file is disguised as an MS Word document. When the ‘Open’ button is clicked, it downloads and executes a PowerShell script from an external source. The downloaded PowerShell script contains an EXE file (Rhadamanthys).”
CVE-2024-43572, also known as GrimResource, was first documented by Elastic Security Labs in June 2024 as a zero-day exploit. It was patched by Microsoft in October 2024.
Additionally, malware campaigns have been observed exploiting chat support platforms like Zendesk, where threat actors masquerade as customers to trick unsuspecting support agents into downloading a stealer called Zhong Stealer.
According to a recent report published by Hudson Rock, over 30 million computers have been infected by information stealers in the past few years, resulting in the theft of corporate credentials and session cookies that can be sold by cybercriminals on underground forums for profit.
The buyers of these stolen credentials can then use them to stage post-exploitation actions, posing severe risks. These developments highlight the role of stealer malware as an initial access vector that provides a foothold into sensitive corporate environments.
“For as little as $10 per log (computer), cybercriminals can purchase stolen data from employees working in classified defense and military sectors,” Hudson Rock said. “Infostealer intelligence isn’t just about detecting who’s infected – it’s about understanding the full network of compromised credentials and third-party risks.”
Over the past year, threat actors have also increased their efforts to spread various malware families, including stealers and remote access trojans (RATs), through a technique called ClickFix, which often involves redirecting users to fake CAPTCHA verification pages that instruct them to copy and execute malicious PowerShell commands.
One such payload dropped is I2PRAT, which utilizes the I2P anonymization network to anonymize its final C2 server.
“The malware is an advanced threat composed of multiple layers, each incorporating sophisticated mechanisms,” Sekoia said. “The use of an anonymization network complicates tracking and hinders the identification of the threat’s magnitude and spread in the wild.”
