AhnLab ASEC’s October 2025 analysis found Infostealer distribution heavily using SEO-poisoned crack/keygen posts and an increasing use of DLL SideLoading and a new loader DLL type that fetches configs from C2s like evgshippingline[.]com. The most common Infostealers were Rhadamanthys, ACRStealer, and LummaC2, with LummaC2’s volume fluctuating and specific C2 paths (/nfront.php, /nback.php) and download URLs identified. #Rhadamanthys #ACRStealer #LummaC2 #evgshippingline.com
Keypoints
- AhnLab ASEC used automated collection systems (crack disguise collector, email honeypot, C2 analysis) and ATIP services to gather and share Infostealer data in real time.
- Infostealers are frequently distributed disguised as cracks/keygens via SEO poisoning on legitimate forums, Q&A pages, free boards, and comment sections to boost search ranking.
- In October 2025 the top distributed Infostealers were Rhadamanthys, ACRStealer, and LummaC2, with LummaC2 showing a sharp decrease at late September and resurgence in late October.
- Distribution methods split: 45.0% EXE format and 55.0% DLL SideLoading, with LummaC2 mainly EXE and ACRStealer mainly DLL SideLoading.
- A new mass-distributed loader DLL variant was observed that uses consistent encrypted shellcode filenames (starting with “._”) and connects to C2 endpoints using /nfront.php and /nback.php to fetch configs and report results.
- The malicious configuration mechanism downloads encrypted payloads and PowerShell scripts (examples: mijnplug[.]com/vPByUaGJ/149.bin and jpg.namaramalan[.]com/6joCvF/2110.txt) to install or execute Infostealers like Rhadamanthys.
- AhnLab’s automatic collection captured many samples not present on VirusTotal at collection time, highlighting the value of their systems for early detection and C2 blocking via ATIP.
MITRE Techniques
- [T1071 ] Application Layer Protocol – Malware connects to C2 using HTTP(S) paths (/nfront.php to receive config, /nback.php to send results) (“Connects to /nfront.php to download the encrypted configuration data… /nback.php (Send execution result)”).
- [T1105 ] Ingress Tool Transfer – Downloads additional encrypted malware and scripts from URLs provided in configuration (e.g., “hxxps://mijnplug[.]com/vPByUaGJ/149.bin”, “hxxps://jpg.namaramalan[.]com/6joCvF/2110.txt”).
- [T1218 ] Signed Binary Proxy Execution (DLL Side-Loading) – Uses legitimate EXE and malicious DLL placed together so the legitimate EXE loads the malicious DLL (“placing a legitimate EXE file and a malicious DLL file in the same folder, allowing the malicious DLL file to be loaded when the legitimate EXE file is executed”).
- [T1059.001 ] PowerShell – Configuration includes PowerShell commands that download and execute scripts to modify browser plugins and perform further actions (“The PowerShell command was used to download a PowerShell script from the C2, which replaces a browser plugin with a malicious script”).
- [T1496 ] Resource Hijacking / Installer Modification (Loader behavior) – New loader DLL variant fetches encrypted shellcode/config and acts per remote commands to install or execute payloads (“Upon execution, it connects to the C2 to download the configuration data and performs malicious behaviors according to this configuration”).
Indicators of Compromise
- [MD5 ] Sample hashes reported – 0223b36e193979cf72ff7dae6d2493c7, 046a0e41374a937d30f6984a6b760b17 (and 3 more hashes).
- [URL ] C2 and download URLs – hxxps://evgshippingline[.]com/nfront[.]php, hxxps://evgshippingline[.]com/nback[.]php, and download URLs hxxps://mijnplug[.]com/vPByUaGJ/149.bin, hxxps://jpg.namaramalan[.]com/6joCvF/2110.txt.
- [HTTP/URL ] Distribution links used in SEO-poisoned posts – http[:]//www[.]mirado[.]website/tu4v/, https[:]//drive[.]google[.]com/uc?export=download&id=1d60lgwqA-lb1KhoCorPwcSe3a2kQTEir.
- [FQDN ] Domain used for hosting/distribution – www[.]mirado[.]website (referenced in distribution context).
Read more: https://asec.ahnlab.com/en/91062/