The March 2026 analysis of Infostealer samples shows Windows samples were predominantly EXE with notable DLL side-loading activity, while macOS campaigns relied on rapidly mutating Bash scripts and a ClickFix clipboard method to trigger terminal execution. Major families identified include ACRStealer, Vidar, and LummaC2, with distribution via cracked software/SEO poisoning, forum/WordPress post injection, and an ACRStealer variant exploiting the Ren’Py game package. #ACRStealer #Vidar
Keypoints
- Windows samples: ~82.6% in EXE format and ~17.4% using DLL side-loading.
- macOS distribution: 472 Bash scripts and 117 C2 domains collected in March; ClickFix clipboard method used to trigger terminal commands and samples mutate rapidly.
- Main malware families observed: ACRStealer, Vidar, and LummaC2, including an ACRStealer instance exploiting Ren’Py to decrypt and execute encrypted payloads.
- Distribution methods include disguised illegal software (cracks/keygens), SEO poisoning, and injecting posts into legitimate message boards, forums, and administrative WordPress instances.
- DLL side-loading samples are modified to resemble legitimate DLLs to evade detection, increasing difficulty for automated defenses.
- Recommendations: strengthen monitoring and validation for DLL side-loading and macOS ClickFix techniques, and maintain rapid automated collection and real-time IOC dissemination.
MITRE Techniques
- [T1574] Hijack Execution Flow – DLL side-loading used to load malicious code by masquerading as legitimate libraries (‘DLL side-loading is characterized by modifications to look similar to legitimate DLLs to evade detection.’)
- [T1059.004] Command and Scripting Interpreter: Unix Shell – macOS distribution used Bash scripts and clipboard-based command execution via ClickFix to trigger terminal execution (‘the macOS distribution uses the ClickFix method to dynamically add malicious commands to the clipboard to trigger terminal execution’)
- [T1204] User Execution – Threat actors rely on users executing disguised illegal software and SEO-poisoned content to deliver Infostealers (‘threat actors disguise illegal software such as cracks and keygens and utilize SEO poisoning.’)
- [T1036] Masquerading – Files and DLLs modified to resemble legitimate counterparts to avoid detection (‘DLL side-loading is characterized by modifications to look similar to legitimate DLLs to evade detection.’)
- [T1027] Obfuscated Files or Information – Rapid mutation of macOS samples and frequent hash changes used to evade signature-based detection (‘the mutation rate is extremely fast, with sample hashes changing on a minute-to-hour basis.’)
- [T1203] Exploitation for Client Execution – ACRStealer distribution exploited the Ren’Py game package to decrypt and execute encrypted data (‘An ACRStealer distribution was identified that exploits the Ren’Py game package to decrypt and execute encrypted data.’)
Indicators of Compromise
- [MD5 Hashes] malware sample identifiers – 01706569197674576bd8459a635bbbc8, 0664c83d26c7a70b14b63e56328de1b7, and 3 more hashes
- [File Types] Windows sample formats – .exe (≈82.6%), .dll side-loading (≈17.4%)
- [macOS Bash scripts] distribution artifacts – 472 Bash scripts collected (file names not provided)
- [C2 Domains] command-and-control domains – 117 domains collected (examples not provided in report)
Read more: https://asec.ahnlab.com/en/93293/