March 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on the distribution quantity, distribution methods, and disguise techniques of Infostealer collected and analyzed during March 2025. Below is a summary of the report.
1. Data Sources and Collection Methods
To proactively repond to Infostealer, AhnLab SEcurity intelligence Center (ASEC) operates various systems that automatically collect malware in distribution. The collected malware is analyzed for maliciousness and C2 information through an automated analysis system. Relevant information is provided in real-time through the ATIP IOC service and can also be found on the ATIP file analysis information page.
AhnLab System
- Automatic collection system for malware disguised as cracks
- Email honeypot system
- Automatic analysis system for malware C2
ATIP Real-Time IOC Service
C2 and Malware Type Analysis Informatio
- File Analysis Information – Related Information – Contacted URLs
The statistics in this report are intended to be used to check the overall distribution, disguising techniques, and distribution methods of Infostealer malware.
2. Infostealers Disguised as Cracks
This section provides statistics on Infostealer distributed under the guise of illegal programs such as cracks and keygens. The malware is distributed using a strategy called SEO-Poisoning, which ensures that malware distribution posts appear at the top of search engine results. ASEC has established a system to automatically collect and analyze such malware in real-time, blocking the malware’s C2 and providing related information to ATIP. Infostealers such as Vidar, Cryptbot, Redline, Raccoon, and StealC have been distributed in this manner, with LummaC2, Vidar, ACRStealer, and Rhadamanthys being the most commonly distributed recently.
Figure 1. Example of a malware distribution page
The following chart shows the quantity of malware distributed using this method over the past year. The second legend shows the quantity of samples collected by AhnLab before the relevant information was available on VirusTotal. It can be seen that most of the malware was collected and responded to through the automatic collection system. The distribution quantity began to increase significantly in the second quarter of this year, and has remained generally consistent since the fourth quarter of last year.
Chart 1. Quantity of Malware Distributed Annually
Threat actors are bypassing search engine filters by posting distribution articles on legitimate websites. They are using popular forums, Q&A pages of certain companies, free boards, and comments. The image below shows an example of distribution articles uploaded to various communities.
Figure 2. A post published on the legitimate website (Grabcad)
Figure 3. A distribution post on the legitimate website (Tableau)
Threat actors are mainly distributing malware through file hosting services. Users should be cautious of files downloaded from sites like Mega or Mediafire after multiple redirections. In March, GitHub was used for distribution, and malicious code was uploaded to WordPress-based shopping sites. Notably, Rhadamanthys Infostealer, which had a valid signature, was distributed in these cases.
Figure 4. Rhadamanthys Infostealer Signed with a Valid Certificate
Trend #1
In February, there were reports of DLL-SideLoading techniques where the size of malicious DLLs was abnormally increased. While previously the size of malicious DLL files was increased, this month saw instances where normal DLLs were manipulated to increase their size and distributed alongside malicious DLL files. This tactic aims to mislead security analysts and hinder diagnosis by making normal files appear malicious. The large “MindClient.dll” file shown below is not malicious but simply a normal file with increased size.
Figure 5. Normal DLL file with increased size
Trend #2
Since March, Rhadamanthys infostealer, which had not been widely distributed before, has been found in numerous instances. Rhadamanthys is Infostealer that injects itself into normal processes to perform malicious activities. It employs advanced anti-analysis techniques such as PPID Spoofing, Heaven’s Gate, Indirect syscall, and manual mapping of Ntdll. It communicates with its C2 server via TLS and can install additional modules to perform various malicious actions. Analysis systems have also detected Rhadamanthys installing ACRStealer infostealer, indicating that attackers are using it not only for basic information theft but also to infect systems with other malware.
Rhadamanthys infostealer was distributed in small quantities at the end of February and began widespread distribution in early March. By the end of March, LummaC2 infostealer became more prevalent, and Rhadamanthys was no longer seen.
Chart 2. Distribution of malware types in March
In March, approximately 12% of distributed malware was Rhadamanthys Infostealer, making it the second most common.
Trend #3
DLL-SideLoading malware was distributed in MSI format. When the MSI file is executed, it creates malicious DLLs, data files, and normal EXE files in a specific path and executes them. Unlike previous distribution cases, the compressed files are not password-protected. Although the distribution volume is not high, the different type requires caution.
Figure 6. MSI malware
Upon execution, a directory is created under %AppData%, and EXE files, normal DLLs required to run the EXE, malicious DLLs, and data files are generated. When ABRequestDlg.exe is executed, it loads the malicious libcrypto-1_1.dll file and runs LummaC2 malware.
Figure 7. Malicious MSI payload
Malware distribution types include EXE format and DLL-SideLoading techniques, where normal EXE files and malicious DLL files are placed in the same folder, causing the malicious DLL to be loaded when the normal EXE file is executed. In March, EXE format accounted for approximately 65.9% of malware, while DLL-SideLoading accounted for about 34.1%, showing a significant increase in DLL-SideLoading samples compared to February. Since the original normal DLL is partially modified to include malicious code, it often appears as a normal file to other AV products, requiring extra caution.
Figure 8. DLL malware undetected by other security vendors
For more information on statistics not covered in this summary, including the statistics on the disguised companies and original file names used in malware development, distribution, the number of products that detected the malware, and Infostealer-related information from phishing emails, please refer to the full ATIP report.
