February 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on the distribution quantity, distribution methods, and disguise techniques of Infostealer collected and analyzed during February 2025. Below is a summary of the report.
1. Data Sources and Collection Methods
To proactively repond to Infostealer, AhnLab SEcurity intelligence Center (ASEC) operates various systems that automatically collect malware in distribution. The collected malware is analyzed for maliciousness and C2 information through an automated analysis system. Relevant information is provided in real-time through the ATIP IOC service and can also be found on the ATIP file analysis information page.
AhnLab System
- Automatic collection system for malware disguised as cracks
- Email honeypot system
- Automatic analysis system for malware C2
ATIP Real-Time IOC Service
C2 and Malware Type Analysis Information
- File Analysis Information – Related Information – Contacted URLs
The statistics in this report are intended to be used to check the overall distribution, disguising techniques, and distribution methods of Infostealer malware.
2. Infostealers Disguised as Cracks
This section provides statistics on Infostealer distributed under the guise of illegal programs such as cracks and keygens. The malware is distributed using a strategy called SEO-Poisoning, which ensures that malware distribution posts appear at the top of search engine results. ASEC has established a system to automatically collect and analyze such malware in real-time, blocking the malware’s C2 and providing related information to ATIP. Infostealers such as Vidar, Cryptbot, Redline, Raccoon, and StealC have been distributed in this manner, with LummaC2, Vidar, ACRStealer being the most commonly distributed recently.
Figure 1. Example of a malware distribution page
The following chart shows the quantity of malware distributed using this method over the past year. The second legend shows the quantity of samples collected by AhnLab before the relevant information was available on VirusTotal. It can be seen that most of the malware was collected and responded to through the automatic collection system. The distribution quantity began to increase significantly in the second quarter of this year, and has remained generally consistent since the fourth quarter of last year.
Chart 1. Quantity of Malware Distributed Annually
Threat actors are bypassing search engine filters by posting distribution articles on legitimate websites. They are using popular forums, Q&A pages of certain companies, free boards, and comments. The image below shows an example of distribution articles uploaded to various communities.
Figure 2. A post published on the legitimate website (Tidal)
Figure 3. A distribution post on the legitimate website (SlideShare)
Threat actors are mainly distributing malware through file hosting services. Users should be cautious of files downloaded from sites like Mega or Mediafire after multiple redirections. Since February, the threat actor has been using the Box cloud platform to distribute some of their malware.
Figure 4. Example of distribution using the Box cloud platform
Trend #1
The number of DLL-SideLoading types has decreased significantly, but the distribution rate of the form disguised as the DLL-SideLoading type has increased significantly. Multiple DLL and EXE files are compressed together for distribution, but the actual malware is a single EXE file. In this case, the DLL files are not related to the execution of the malware. It is presumed that a random DLL file was added to make it look more authentic to users. It is also possible that the threat actor intended to make it look like the DLL-SideLoading type for detection purposes.
Figure 5. Example of a meaningless DLL file
Trend #2
While most of the previously distributed cracked malware samples were LummaC2 Infostealers, multiple Vidar Infostealer samples were also distributed in February. Vidar was actively distributed in the same campaign in the past, but it was rarely distributed in 2024. However, meaningful amounts of Vidar have been distributed since February of this year.
Chart 2. Distribution of malware types in February
About 4% of malware distributed in February was Vidar, and a new execution type was identified among them. Unlike before, the malware is not distributed in an encrypted compressed file. Instead, it displays a GUI window that requires users to enter a password. After entering the password, users must click the Run button to start the malicious behavior, and the password is specified in the internal description file. Malicious behavior cannot be triggered in analysis environments such as sandboxes. This information has been covered in ASEC Notes.
Figure 6. Password input GUI window
- [ATIP ASEC Notes] Vidar Infostealer Distributing Malicious File Requiring Password Input
For more information on statistics not covered in this summary, including the statistics on the disguised target companies and original file names used in malware development, distribution, the number of products that detected the malware, and Infostealer-related information from phishing emails, please refer to the full ATIP report.
