The ACRStealer malware, an infostealer disguised as illegal software such as cracks and keygens, has seen a significant increase in its distribution since the beginning of 2025.
Initially distributed in limited volumes in mid-2024, this malware has now gained traction, with February’s activity levels matching those of January, signaling a sharp upward trend.
Security researchers from AhnLab Security Intelligence Center (ASEC) have identified its use of Google Docs as an intermediary command-and-control (C2) platform, a novel tactic that sets it apart from other infostealers.
ACRStealer employs a sophisticated technique known as Dead Drop Resolver (DDR), leveraging legitimate web platforms like Google Docs to mask its malicious operations.
Threat actors encode the actual C2 domain using Base64 and embed it within specific pages on platforms such as Google Docs Forms and Presentations.
The malware accesses these pages, decodes the information, and retrieves the actual C2 address to execute malicious activities.
This intermediary C2 approach has also been observed in other malware families like Vidar and LummaC2.
Unlike traditional methods, ACRStealer demonstrates flexibility by continuously altering the platforms and locations where C2 strings are embedded.
For instance, while earlier versions used visible areas on Steam pages, recent samples hide these strings within metadata fields like “summary,” making them accessible only through the page source.
This adaptability suggests that threat actors will continue to exploit diverse platforms for intermediary C2 operations.
Once operational, ACRStealer retrieves configuration data from its C2 server using a hardcoded UUID format.
This configuration file specifies the types of data to be exfiltrated, including browser credentials, cryptocurrency wallets, FTP server information, email client data, VPN details, password manager files, and more.
The stolen data is compressed into ZIP files before being transmitted to the C2 server.
The malware targets a wide range of programs and file types, including popular browsers (e.g., Chrome, Firefox), cryptocurrency wallets (e.g., MetaMask, Trust Wallet), remote access tools (e.g., AnyDesk), and password managers (e.g., LastPass).
Additionally, it extends its reach to browser extensions and plugins associated with cryptocurrency and authentication services.
The increasing distribution of ACRStealer highlights its growing threat to users worldwide. By exploiting trusted platforms like Google Docs for malicious purposes, the malware evades traditional detection mechanisms.
Users are strongly advised to avoid downloading illegal software from untrustworthy sources and remain vigilant against suspicious online activities.
As cybercriminals continue to refine their tactics, organizations must adopt proactive measures to detect and mitigate such threats effectively.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
In a recent development, the SPAWNCHIMERA malware family has been identified exploiting the buffer overflow…
A significant vulnerability in Sitevision CMS, versions 10.3.1 and earlier, has been identified, allowing attackers…
Chinese cybersecurity entities have accused the U.S. National Security Agency (NSA) of orchestrating a cyberattack…
A security vulnerability in Nagios XI 2024R1.2.2, tracked as CVE-2024-54961, has been disclosed, allowing unauthenticated…
Ubiquiti Networks has issued an urgent security advisory (Bulletin 046) warning of multiple critical vulnerabilities…
A critical security flaw in Fluent Bit, a widely adopted log processing and metrics collection…