Threat Research

April 2025 Infostealer Trend Report

Ahnlab
April 2025 Infostealer Trend Report

Information-stealing malware, known as Infostealers, is increasingly distributed disguised as cracks and illegal software using SEO Poisoning and legitimate websites to bypass detection. Significant distribution trends in April 2025 included a surge in StealC Infostealer samples and the use of Telegram and Steam as relay C2 channels by LummaC2 malware. #AhnLab #InfostealerMalware

Keypoints

  • AhnLab’s automated systems collect and analyze malware samples in real-time, providing C2 and file analysis information through their ATIP IOC service.
  • Infostealer malware is commonly disguised as crack or keygen software and distributed via SEO Poisoning, placing malicious links atop search engine results.
  • Distribution posts are created on legitimate sites including forums, Q&A pages, Pinterest, and SlideShare to evade search engine filters.
  • Most Infostealer samples (86.8%) are distributed as EXE files, while 13.1% use DLL-SideLoading, a technique that loads malicious DLLs alongside legitimate executables.
  • There was a marked increase in StealC Infostealer samples starting mid-April 2025, with daily sample generation tripling compared to normal levels.
  • LummaC2 malware samples were distributed in an unpacked form, showing a message box that requires user interaction, likely due to a threat actor oversight.
  • LummaC2 uses Dead Drop Resolver (DDR) techniques to retrieve C2 addresses via legitimate Telegram and Steam accounts, decrypting encrypted strings with ROT-11.

MITRE Techniques

  • [T1574] DLL Side-Loading – Used to execute Infostealer malware by placing a malicious DLL alongside a legitimate EXE, causing the legitimate executable to load the malicious DLL (‘DLL-SideLoading technique, which involves placing a legitimate EXE file and a malicious DLL file in the same folder…’).
  • [T1204] User Execution – LummaC2 malware requires the user to click “Yes” on a message box to trigger malicious activity (‘The malicious behavior is only triggered when the user clicks “Yes”’).
  • [T1102] Web Service – LummaC2 uses legitimate online services such as Telegram and Steam as relay command and control channels to obtain actual C2 addresses (‘LummaC2 malware that utilize Telegram or Steam as a relay C2’).
  • [T1176] Browser Bookmark – SEO Poisoning is employed to rank malicious distribution posts high on search engines, increasing the likelihood of victim interaction (‘SEO Poisoning, which involves making the distribution post appear at the top of search engine results’).

Indicators of Compromise

  • [File Hash] MD5 hashes of Infostealer samples – 015b508a45586c4d6503eb157cc41676, 0225513443e46c75e1fbc61433c19df0, and 4 more hashes referenced in analysis.
  • [URLs] Command and Control servers – Telegram and Steam accounts used as relay C2 for LummaC2 malware.
  • [File Names/Formats] Malware distributed predominantly as EXE files (86.8%) and as DLLs via DLL-SideLoading (13.1%).

Read more: https://asec.ahnlab.com/en/88062/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint