January 2026 Infostealer Trend Report

AhnLab’s January 2026 report summarizes automated collection and analysis of Infostealer samples distributed via SEO-poisoned crack/keygen pages, forum and corporate site posts, and highlights differences in Windows and macOS distribution and obfuscation techniques. Notable findings include ACRStealer’s shift to ECDH + ChaCha20-Poly1305 for C2 encryption and rapid macOS sample churn with terminal copy-paste (ClickFix) and osascript-based payloads. #ACRStealer #MacSyncStealer

Keypoints

ASEC (AhnLab) uses automated collection systems (crack concealment collection, email honeypots, C2 automated analysis) and provides real-time IOCs via ATIP.
Infostealers are commonly distributed disguised as cracks/keygens using SEO poisoning; attackers now post on legitimate forums, corporate Q&A pages, and poorly managed WordPress sites to rank in search results.
Primary families observed in January were LummaC2, Vidar, and ACRStealer, with macOS families like MacSync Stealer also actively distributed.
Windows delivery was ~70.8% EXE and ~29.2% DLL SideLoading; DLL SideLoading modifications are subtle and can evade some detections.
macOS distribution uses ClickFix (copy-paste terminal commands), delivers Fatbin binaries or osascript-based payloads, and exhibits very rapid sample hash churn (minute/hourly changes).
ACRStealer variants moved from a hardcoded AES key to an ECDH key-exchange using SECP256R1 and ChaCha20-Poly1305, with a session-identifying ‘X-Requests-Key’ header issued by C2.
MacSync Stealer distribution impersonates GitHub to coax users into pasting commands that download DMGs and Base64/gzip-encoded scripts which run osascript to collect and exfiltrate data to C2 (sestraining.com).

MITRE Techniques

[T1574 ] Hijack Execution Flow – DLL SideLoading was used where ‘a normal EXE file and a malicious DLL file are placed in the same folder, causing the malicious DLL file to be loaded when the normal EXE file is executed.’
[T1059.006 ] Command and Scripting Interpreter: AppleScript – macOS payloads executed via osascript as described: ‘the script connects to C2, downloads and executes an osascript file, and then sends the resulting file back to C2.’
[T1059.004 ] Command and Scripting Interpreter: Unix Shell – macOS distribution used Bash/zsh scripts and ‘executes a Base64 encoded command using zsh’ and scripts that ‘decompress Base64 encoded data using gzip and then executes it.’
[T1204 ] User Execution – The distribution page ‘is designed to encourage users to copy the content from the input box and paste it into the terminal for execution,’ coercing direct user execution.
[T1027 ] Obfuscated Files or Information – Use of Base64 encoding, gzip compression, and rapid sample/hash changes (‘hash values of the malware change on a minute or hourly basis’) to hinder detection and analysis.
[T1071.001 ] Application Layer Protocol: Web Protocols – C2 communication over HTTP/S with custom headers was used, including encrypted exchanges and session header ‘X-Requests-Key’ during key exchange.

Indicators of Compromise

[File Hash ] AhnLab-provided sample hashes and detections – example SHA256: 7a5c704e85df3dec08c9ab17857c4ac13337c23f43616d2736653963de7f91f2, MacSync SHA256: 4aab18983ab8c00f3c619b75033ce548, and other sample hashes.
[MD5 ] Listed MD5s from the report used for detection – example MD5: 01d120f0c69e3d3d46954bfab810ca5f, 039d3ed581a75ae7f85a38aeec34bd52, and 3 more MD5s.
[Domain / FQDN ] Command-and-control and distribution domains – sestraining[.]com (MacSync C2), www[.]corvix[.]life (distribution), and other C2 names.
[IP Address ] Observed C2 IPs associated with samples – 146[.]103[.]102[.]11, 94[.]103[.]95[.]97.
[File Path / Filename ] Artifacts created or used by payloads – compressed exfiltration file ‘/tmp/osalogging.zip’ and downloaded DMG used as disguise during macOS distribution.