Threat Research

June 2025 Infostealer Trend Report

Ahnlab
June 2025 Infostealer Trend Report

This report analyzes the distribution trends of Infostealer malware in June 2025, highlighting various disguises such as cracks and keygens, and the use of SEO poisoning for distribution. It also details emerging threats like the modified ACRStealer and novel infection methods involving installer screens and password-protected files. #ACRStealer #LummaC2 #DLLSideLoading #Infostealer

Keypoints

  • AhnLab’s automated systems collect and analyze Infostealer malware distributed primarily through crack disguises and SEO poisoned posts.
  • In June 2025, multiple Infostealers including LummaC2, Rhadamanthys, ACRStealer, Vidar, and StealC were actively distributed, with ACRStealer showing a significant increase due to new variants.
  • The majority (94.4%) of Infostealers were delivered as EXE files, while 5.6% used the DLL-SideLoading technique to evade detection.
  • Threat actors distribute malware posts on legitimate websites like forums, Q&A pages, and company comments to bypass security measures.
  • The modified ACRStealer uses advanced C2 communication evasion techniques such as NT functions, HTTP host domain spoofing, ntdll manual mapping, and Heaven’s Gate for anti-analysis.
  • A new malware infection method involves installer screens that copy malware to specific paths and auto-start on boot, presenting user interface overlays to trick users into downloading additional files.
  • Some samples now hide compression passwords in images to evade automated decompression and security detection.

MITRE Techniques

  • [T1140] Deobfuscate/Decode Files or Information – Modified ACRStealer employs anti-analysis techniques such as “ntdll manual mapping and Heaven’s Gate technique” to evade detection.
  • [T1059] Command and Scripting Interpreter – ACRStealer uses NT functions to communicate with C2 servers, bypassing security products (“utilizes NT functions to communicate with the C2”).
  • [T1071] Application Layer Protocol – The malware performs C2 communication with HTTP host domain spoofing to disguise traffic (“employs the HTTP host domain spoofing technique to bypass security products”).
  • [T1543] Create or Modify System Process – The new malware variant registers itself for auto-execution in the Windows registry to persist (“registers it for auto-execution” in HKCU Run key).
  • [T1070] Indicator Removal on Host – The DLL-SideLoading technique modifies only part of legitimate DLL files to evade security detections (“DLL-SideLoading malware are created by modifying only a portion of a legitimate DLL file with malicious code”).

Indicators of Compromise

  • [File Hash] Samples of Infostealer malware – 01542f203172d51d65bb37ce2cc2d813, 0896888ab8c9278da66138d2a0c5e713, and 4 more hashes.
  • [File Path] Malware creation path – C:Program Files (x86)Windows NTTableTextServicesvchost.exe.
  • [Registry Key] Auto-execution persistence – HKCUSoftwareMicrosoftWindowsCurrentVersionRunTableTextServiceStartup.
  • [URLs] C2 communication domains – Host domain spoofing indicators found in VirusTotal C2 communication records related to ACRStealer.

Read more: https://asec.ahnlab.com/en/89033/