January 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on the distribution quantity, distribution methods, and disguise techniques of Infostealer collected and analyzed during January 2025. Below is a summary of the report’s content.
1. Data Sources and Collection Methods
To proactively respond to Infostealer, AhnLab Security Emergency response Center (ASEC) operates various systems that automatically collect malware in distribution. The collected malware is analyzed for maliciousness and C2 information through an automated analysis system. Relevant information is provided in real-time through the ATIP IOC service and can also be found on the ATIP file analysis information page.
AhnLab Systems:
- Automatic collection system for malware disguised as cracks
- Email honeypot system
- Automatic analysis system for malware C2
ATIP Real-Time IOC Service
C2 and Malware Type Analysis:
- File Analysis Info – Related Info – Contacted URLs
The statistics in this report are intended to be used to identify trends in the distribution quantity, disguise techniques, and distribution methods of Infostealer.
2. Infostealer Disguised as Cracks
This section provides statistics on Infostealer distributed under the guise of illegal programs such as cracks and keygens. The malware is distributed using a strategy called SEO-Poisoning, which ensures that malware distribution posts appear at the top of search engine results. ASEC has established a system to automatically collect and analyze such malware in real-time, blocking the malware’s C2 and providing related information to ATIP. Infostealers such as Vidar, Cryptbot, Redline, Raccoon, and StealC have been distributed in this manner, with LummaC2 being the most commonly distributed recently.
Figure 1. Infostealers disguised as cracks
The graph below shows the quantity of malware distributed in this manner over the past year. The second legend indicates the number of samples collected by AhnLab faster than VirusTotal, demonstrating the effectiveness of the automatic collection system. The distribution quantity began to increase significantly from the second quarter and continues to be actively distributed..
Graph 1. Annual malware distributed quantity
Attackers bypass search engine filtering by posting distribution posts on legitimate sites. They use popular forums, specific company Q&A pages, free boards, and comments. The image below is an example of a malware distribution post on GitHub.
Figure 2. Malware Disguised as cracks on legitimate site (GitHub)
Trend #1
In the DLL-SideLoading type, malware with abnormally large DLL file sizes has been distributed since mid-December. This is presumed to be an attempt to hinder file collection and diagnosis. Compressed files are small, but if an abnormally large executable file is generated upon decompression, it is likely to be malware, so caution is advised.
Figure 3. DLL malware of unusually large size
Trend #2
While most malware disguised as cracks was LummaC2 Infostealer, ACRStealer Infostealer has also started to appear frequently since December. ACRStealer, which was first distributed around June last year, had almost disappeared but reappeared in December and began to be actively distributed from January. About 26 ACRStealer malware samples were distributed in January, and given the attacker’s history of periodically changing the primary malware used, the distribution ratio is likely to increase. ACRStealer malware distributed in January uses Google Docs as an intermediary C2.
For detailed explanations of statistics not mentioned in this summary, statistics on the companies targeted for disguise in malware production, original file name statistics, distribution site statistics, product detection quantity statistics, and information on Infostealers distributed via phishing emails, please refer to the full ATIP report.
