Threat Research

November 2025 Infostealer Trend Report

Ahnlab
November 2025 Infostealer Trend Report

AhnLab ASEC’s November 2025 report details widespread distribution of Infostealer families (notably ACRStealer, LummaC2, Rhadamanthys, and AURA Stealer) using SEO-poisoned posts and cracks/keygens, with a marked shift toward DLL sideloading and new loader variants that fetch payloads from multiple fake C2s. The report includes behavioral details (HTTP(s) C2 traffic, XOR/Base64 obfuscation, explorer.exe injection), MD5 sample hashes, and ATIP/ATIP IOC services used to block C2s in real time. #AURA_Stealer #ACRStealer

Keypoints

  • ASEC collects malware via automated systems (crack/patch honeypots, email honeypots, C2 analysis) and shares real-time IOC and file analysis via ATIP services.
  • Infostealers were frequently disguised as cracks/keygens and promoted using SEO poisoning by posting on legitimate forums, Q&A pages, and comment sections to appear at top of search results.
  • Distribution methods split between standalone EXE (22.7%) and DLL sideloading (77.3%), with a significant month-over-month increase in DLL sideloading driven by new loader variants.
  • New loader families perform numerous HTTP(s) connections to multiple fake C2s, download a JSON configuration, XOR-decrypt the [“cache”][“content”] to produce a binary, then load and execute modules.
  • AURA Stealer activity increased notably; it injects into explorer.exe, receives Base64-encoded configuration from C2, steals data per configuration, and transmits collected data Base64-encoded to C2 endpoints (/api/conf, /api/send, /api/live).
  • Five MD5 sample hashes are provided and ASEC notes it often collects and responds to samples before they appear on VirusTotal, enabling rapid C2 blocking via ATIP.

MITRE Techniques

  • [T1574 ] DLL Side-loading / Hijack Execution Flow – Used to load a malicious DLL alongside a legitimate EXE: (‘the DLL Sideloading technique, which involves placing a legitimate EXE file and a malicious DLL file in the same folder so that when the legitimate EXE file is executed, the malicious DLL file is loaded.’)
  • [T1055 ] Process Injection – AURA Stealer injects into explorer.exe to run and hide its theft routines: (‘When executed, it injects into explorer.exe.’)
  • [T1071 ] Application Layer Protocol (Web/HTTP(S)) – Malware performs numerous HTTP(s) connections to C2 and downloads configuration and payloads over web protocols: (‘When the malware is executed, it performs numerous HTTP(s) connections…downloading a JSON file from the actual C2.’)
  • [T1027 ] Obfuscated Files or Information – Malware uses XOR decryption to reconstruct a binary from downloaded content: (‘when the value of [“cache”][“content”] is XOR-decrypted, a malware binary is generated and the module is loaded and executed.’)
  • [T1132 ] Data Encoding – Configuration and stolen data are encoded in Base64 for transport between malware and C2: (‘It receives Base64-encoded configuration data from the C2…and then encodes the collected information in Base64 before transmitting it to the C2.’)
  • [T1105 ] Ingress Tool Transfer – Loader variants download and execute additional payloads from multiple fake C2 servers as part of mass distribution: (‘mass distribution of malware that connects to multiple fake C2s and downloads and executes malicious payloads from the C2.’)
  • [T1041 ] Exfiltration Over C2 Channel – Collected data is sent back to C2 endpoints (e.g., /api/send) after encoding, indicating exfiltration via the command-and-control channel: (‘https://{C2}/api/send Deodorization Information Sent’)

Indicators of Compromise

  • [File hash ] Sample MD5 hashes collected and analyzed – 055e2fc77821cc4322a940b9ce0cc0b8, 140816d53460fff723991818b9b9063d, and 3 more hashes
  • [C2 URL / Domain ] C2 endpoints and URL patterns used by AURA Stealer and loaders – https://{C2}/api/live, https://{C2}/api/conf, https://{C2}/api/send

Read more: https://asec.ahnlab.com/en/91600/