April 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on the distribution of Infostealer malware, including the distribution volume, methods, and disguises, based on the data collected and analyzed in April 2025. The following is a summary of the report.
1) Data Source and Collection Method
The AhnLab SEcurity intelligence Center (ASEC) operates various systems to automatically collect and distribute malware strains for preemptive threat response. The collected malware samples are analyzed by the automated analysis system to determine their maliciousness and C2 information. The related information is provided in real time through the ATIP IOC service and can also be found in the relevant information on the ATIP File Analysis Information page.
AhnLab’s self-developed system
- Crack camouflage malware automatic collection system
- Email honeypot system
- Malware C2 automatic analysis system
ATIP Real-time IOC service
C2 and malware type analysis information
- File analysis information – Related information – Contacted URLs
It is suggested that the statistics in this report be used to observe the overall distribution volume, disguise techniques, and trends of distribution methods of Infostealer malware.
2) Infostealer Disguised as Crack
Statistics on information-stealing malware being distributed disguised as illegal software such as cracks and keygens. The malware is being distributed using a strategy called SEO Poisoning, which involves making the distribution post appear at the top of search engine results. ASEC has established a system that automatically collects malware distributed in this manner and analyzes C2 information to block the C2 of malware in real time and provide relevant information through ATIP. Infostealers such as Vidar, Cryptbot, Redline, Raccoon, and StealC have been distributed in the past, and in April, LummaC2, Vidar, and StealC Infostealers were distributed.
Figure 1. Pages distributing malware
The following chart shows the quantity of malware distributed in this manner over the past year. The second legend shows the quantity of malware that was collected by AhnLab before relevant information was available on VirusTotal. This shows that most of the malware were collected and responded to first through the automatic collection system. Since the fourth quarter of last year, the quantity of distribution has been maintained at a generally similar level.
Chart 1. Quantity of malware distributed annually
The threat actor is bypassing search engine filters by creating distribution posts on legitimate websites. They are using popular forums, Q&A pages of specific companies, free boards, and comments. The following image shows an example of a distribution post uploaded to various communities.
Figure 2. A distribution post published on the legitimate Pinterest site
Figure 3. A distribution post published on the legitimate slideshare site
Infostealer is executed in two main ways: being distributed in EXE format or using the DLL-SideLoading technique, which involves placing a legitimate EXE file and a malicious DLL file in the same folder so that the malicious DLL file is loaded when the legitimate EXE file is executed. In April, 86.8% of Infostealer samples were in EXE format, while 13.1% used the DLL-SideLoading technique. Although the overall distribution volume remained consistent with the previous month, there was a noticeable decrease in the number of DLL-SideLoading samples. This was because a large number of EXE-type Infostealer, such as StealC, were detected, causing a significant drop in the proportion of DLL-SideLoading samples. DLL-SideLoading Infostealer are created by modifying only a portion of the original legitimate DLL file with malicious code, so they closely resemble the normal file. As a result, many other security solutions may classify it as a normal file, making it important to remain cautious.
Figure 4. Example of undetected DLL malware from a third-party source
Trend #1
Since mid-April, a large volume of StealC malware has been distributed. Normally, about 10 samples were generated per day, but during this period, a large number of StealC samples were created and distributed, resulting in over 30 samples being generated per day. StealC is an Infostealer that steals sensitive user data and transmits it to a C2 server. This malware was also actively distributed early last year, and the details were covered in various contents.
- [AhnLab SEcurity intelligence Center (ASEC) Blog] Caution on Infostealer Disguised as Installer (StealC)
https://asec.ahnlab.com/en/62976/ - [AhnLab SEcurity intelligence Center (ASEC) Notes] Distribution of Malware Exploiting Innosetup Installer Plugin
https://atip.ahnlab.com/intelligence/view?id=3647f8dd-a285-4bdb-b8d7-71e3fce1b6a2
The statistics for each type of malware distributed in this manner throughout April are as follows. It can be seen that a significant number of StealC samples were generated despite being distributed from mid-April.
Chart 2. Distribution of malware types in April
Trend #2
At the end of April, the threat actor distributed the unpacked version of LummaC2. When LummaC2 is not executed in an unpacked state, it displays a message box asking whether to execute the malware. The malicious behavior is only triggered when the user clicks “Yes,” and the malware is terminated when the user clicks “No.” This is likely a mistake made by the threat actor during the malware development process.
Figure 5. Message box of LummaC2 that is not packed
Trend #3
Multiple samples of LummaC2 malware that utilize Telegram or Steam as a relay C2 have been distributed. The malware accesses the account page created by the threat actor on a legitimate site to obtain the actual C2 address. This technique is called Dead Drop Resolver (DDR). Samples with this function were distributed earlier this year, but the majority of LummaC2 malware utilized Telegram and Steam as relay C2 in April. When accessing the relay C2, an account name in an encrypted string is present, which is decrypted using ROT-11 and used as the C2 address.
Figure 6. LummaC2’s C2 (Telegram)
Figure 7. Steam C2 server of LummaC2
For statistics not covered in this report, details on the targeted companies and original file names, distribution, number of products detected, and Infostealer information from phishing emails used in the development of the malware, please refer to the full ATIP report.
