AhnLab ASEC’s February 2026 report analyzes Infostealer distribution trends, highlighting heavy use of SEO-poisoned posts that deliver Windows EXE or DLL side-loading samples and macOS Bash/osascript-based droppers. The report notes significant activity from ACRStealer and a surge in Inno Setup downloader campaigns that use PowerShell to fetch additional payloads. #ACRStealer #InnoSetupDownloader
Keypoints
- AhnLab ASEC uses automated malware collection, email honeypots, and C2 analysis to detect Infostealer campaigns and supply real-time IOCs via the ATIP service.
- Attackers distribute Infostealers via SEO poisoning by posting on legitimate sites, forums, and poorly managed WordPress pages to rank high in search results.
- Windows distributions are primarily EXE (≈74.8%) or DLL SideLoading (≈25.2%), with DLLs modified only partially to evade detection.
- macOS distributions rely on ClickFix (copy/paste terminal commands), Bash scripts, osascript, and fatbin executables, showing very rapid sample mutation rates.
- Trend highlight: Inno Setup downloader campaigns sharply increased, from 5,323 samples in January to 13,211 in February, often delivering ACRStealer and additional tools via PowerShell.
- Report includes concrete IOCs (MD5 hashes, distribution URL) and notes collection of 2,073 macOS Bash scripts, 217 fatbin executables, and 31 C2 domains in February.
MITRE Techniques
- [T1574.001 ] DLL Side-Loading – Attackers place a legitimate EXE and a malicious DLL in the same folder so the malicious DLL loads when the EXE runs (‘the execution types of Infostealer distributed as above include those distributed as EXE files and those using the DLL SideLoading technique… placing a legitimate EXE file and a malicious DLL file in the same folder’).
- [T1059.001 ] PowerShell – Download and execution of additional payloads were performed via PowerShell commands (‘uses PowerShell commands to download and execute multiple additional malicious programs’).
- [T1059.004 ] Unix Shell – Bash scripts are used on macOS to deliver and execute Infostealers (‘induces users to download and execute malicious Bash scripts to distribute the Infostealer’; ‘2,073 Bash scripts … were collected’).
- [T1059.005 ] AppleScript/osascript – macOS samples use osascript-based implementations to execute payloads (‘implemented via osascript’).
- [T1204.002 ] User Execution: Malicious File – Users are tricked into running installers/next-button flows (Inno Setup) that fetch and run malicious code (‘Clicking the ‘Next’ button downloads and executes the malicious code’).
- [T1105 ] Ingress Tool Transfer – Downloading additional malicious programs and tools (ACRStealer, proxyware, Tor proxy) to the victim via network retrieval methods (‘download and execute multiple additional malicious programs, including the ACRStealer Infostealer… Proxyware and Tor proxy’).
- [T1036 ] Masquerading – Malware is disguised as cracks, keygens, or legitimate installers to appear benign and bypass user suspicion or detection (‘Infostealer disguised as illegal programs such as cracks and keygens’).
Indicators of Compromise
- [MD5 ] Collected malware sample hashes – 03f9b573497f7161f248a01576af66d6, 049f6afa92e1a62413f7ec566b7bef75, and 3 more hashes.
- [URL ] Distribution URL observed – http[:]//electrico[.]co[.]zw/wp-templates/five/five/fre[.]php (used as a malware distribution landing page).
- [C2 Domains ] Command-and-control infrastructure count – 31 C2 domains were collected for macOS Infostealers in February (no specific domain names listed in the summary).
Read more: https://asec.ahnlab.com/en/92902/