August 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on Infostealer, including distribution volume, distribution methods, and disguises based on the data collected and analyzed in August 2025. The following is a summary of the original report.
1) Data Source and Collection Methods
AhnLab SEcurity intelligence Center (ASEC) operates various systems that automatically collect malware in distribution to proactively defend against Infostealer threats. The collected malware is analyzed for maliciousness and C2 information through an automated analysis system. Relevant information is provided in real time through the ATIP IOC service and can also be found on the ATIP file analysis information page.
AhnLab Systems
- Automated collection system for malware disguised as cracks
- Email honeypot system
- Automated analysis system for malware C2
ATIP Real-Time IOC Service
C2 and Malware Type Analysis
- File Analysis Information – Related Information – Contacted URLs
The statistics in this report are intended to be used to identify trends in the distribution quantity, disguise techniques, and distribution methods of Infostealer.
2) Infostealer Disguised as Crack
This section provides statistics on Infostealers distributed under the guise of illegal programs such as cracks and keygens. The malware is distributed using a strategy called SEO Poisoning, which ensures that malware distribution posts appear at the top of search engine results. ASEC has established a system to automatically collect and analyze C2 information of such malware in real time, blocking the malware’s C2 and providing related information through AhnLab TIP (ATIP). In August, various infostealers were spread, including LummaC2, ACRStealer, and Rhadamanthys.
Figure 1. Malware distribution pages
The graph below shows the quantity of malware distributed in this manner over the past year. The second legend indicates the number of malware with no related information on VirusTotal at the time of collection, meaning that they were collected by AhnLab first. This indicates that many of them were first collected and responded to by AhnLab’s automated collection system.
Graph 1. Annual malware distribution quantity
Previously, threat actors uploaded malware distribution posts on their own blogs, but search engines have begun preventing these malicious blogs from appearing in search results. As a result, detection numbers showed a decreasing trend, but now threat actors are bypassing this by posting distribution content on legitimate websites. They use popular forums, Q&A pages of specific companies, bulletin boards, and comment sections. The images below are examples of distribution posts uploaded to various online communities. Articles uploaded in this manner appear at the top of search engine results, allowing them to be accessed by a large number of users.
Figure 2. Distribution post published on the legitimate site (chromium.org)
Figure 3. Distribution post published on the legitimate site (slideshare.net)
In this manner, Infostealers are executed in two ways: being distributed in EXE format and using the DLL-SideLoading technique, which involves placing a legitimate EXE file and a malicious DLL file in the same folder so that when the legitimate EXE file is executed, the malicious DLL file is loaded. Of the malware that occurred In August, approximately 89.7% were of the EXE type and 10.3% were of the DLL-SideLoading type. DLL-SideLoading malware is created by modifying only a portion of a legitimate DLL file into malicious code, so it closely resembles the original file. As a result, many other security solutions may classify it as a legitimate file, making it necessary to be cautious.
Trend #1
– Distribution using Slack
In mid-August, the threat actor mass-produced malicious posts on Slack. Based on the recorded URL, it is presumed that they registered multiple malicious posts on the Slack Marketplace. Currently, an error message is displayed when accessing the URL, making it impossible to view the post. However, search results show that the post is still being displayed by search engines, and the summary section shows the URL used to distribute the malware. As users are able to download the malware by accessing this URL, the channel’s function as a distribution channel remains effective.
Figure 4. Search results for the malicious post uploaded to Slack
Trend #2
– ACRStealer’s Domain Masquerade
The new version of ACRStealer, actively distributed since June, uses a technique that modifies the host information in the HTTP(s) header to a legitimate domain. As a result, some security products may misinterpret communication with the malicious C2 server as communication with a legitimate domain. Initially, the threat actor disguised their malicious C2 using domains of well-known companies such as Microsoft and Facebook. However, from mid-August onward, they have primarily used domains belonging to security companies. Additionally, they have shifted from using primary domains to more complex subdomains. These changes are likely intended to make detection more difficult.
|
Date |
ACRStealer’s disguised domain |
|---|---|
|
2025-08-04 |
att.com |
|
2025-08-09 |
http://www.dildo.com |
|
2025-08-10 |
je1.com |
|
2025-08-11 |
el1.com |
|
2025-08-12 |
ga1.com |
|
2025-08-16 |
l4.com |
|
2025-08-16 |
analytics.avcdn.net |
|
2025-08-16 |
analytics.ff.avast.com |
|
2025-08-16 |
v7event.stats.avast.com |
|
2025-08-18 |
analysis.sophos.com |
|
2025-08-18 |
api.crowdstrike.com |
|
2025-08-19 |
aether100proservicebus.servicebus.windows.net |
|
2025-08-19 |
aether100pronotification.table.core.windows.net |
|
2025-08-24 |
assets-public.falcon.eu-1.crowdstrike.com |
|
2025-08-25 |
api.malwarebytes.com |
|
2025-08-26 |
au.analysis.sophos.com |
|
2025-08-26 |
cloud-ecs.gravityzone.bitdefender.com |
|
2025-08-27 |
crl3.digicert.com |
|
2025-08-29 |
detect-remediate.cloud.malwarebytes.com |
Table 1. Disguised domains used by ACRStealer
For more information on statistics not covered in this summary, statistics on the disguise target industries and original file names used in malware development, distribution, products detected, and Infostealer-related information from phishing emails, please refer to the full ATIP report.
