September 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on Infostealer, including distribution volume, distribution methods, and disguises based on the data collected and analyzed in August 2025. The following is a summary of the original report.
1) Data Source and Collection Methods
AhnLab SEcurity intelligence Center (ASEC) operates various systems to collect malware automatically being distributed for proactive response to Infostealer malware. The collected malware is analyzed by the automatic analysis system to determine its maliciousness and C2 information. Relevant information is provided in real-time through the ATIP IOC service and can also be found in the related information on the ATIP File Analysis Information page.
AhnLab Systems
- Automated collection system for malware disguised as cracks
- Email honeypot system
- Automated analysis system for malware C2
ATIP Real-time IOC service
C2 and Malware Type Analysis
- File Analysis – Related Information – Contacted URLs
It is recommended to use the statistics in this report to gain an overall understanding of the distribution volume, disguising techniques, and distribution methods of Infostealer malware.
2) Infostealer Distributed with Crack Disguise
This section provides statistics on Infostealers distributed under the guise of illegal programs such as cracks and keygens. The malware is distributed using a strategy called SEO Poisoning, which ensures that malware distribution posts appear at the top of search engine results. ASEC has established a system to automatically collect and analyze C2 information of such malware in real time, blocking the malware’s C2 and providing related information through AhnLab TIP (ATIP). In August, various infostealers were spread, including LummaC2, ACRStealer, and Rhadamanthys. The distribution of LummaC2 has sharply decreased since the end of September, and only a small amount of the malware is currently being distributed.
Figure 1. Malware distribution page
The following chart shows the quantity of malware distributed through this method in the past year. The second legend shows the quantity of malware that was collected by AhnLab before relevant information was available on VirusTotal. This indicates that AhnLab collected and responded to the majority of malware through its automatic collection system.
Chart 1. Annual malware distribution quantity
Previously, threat actors directly posted articles about malware distribution on the blogs they created. However, search engines began to take measures to prevent these malicious blogs from appearing in search results. To bypass these measures, threat actors are now distributing malware by posting articles on legitimate websites. They are utilizing famous forums, Q&A pages of specific companies, free boards, and comments. The following image shows an example of an article about malware distribution that has been uploaded to various communities. Articles uploaded in this manner appear at the top of search results and are visited by many users.
Figure 2. A distribution post published on the legitimate site (slideshare.net)
Figure 3. A post on a legitimate site (chromium.org)
As shown above, there are two types of execution methods for the distributed Infostealer: being distributed as an EXE file and using the DLL SideLoading technique, which involves placing a legitimate EXE file and a malicious DLL file in the same folder, so that when the legitimate EXE file is executed, the malicious DLL file is loaded. Throughout September, 80.3% of the Infostealer samples were distributed in EXE format, and 19.7% were distributed using the DLL SideLoading technique. This marks a significant increase in the proportion of samples distributed using the DLL SideLoading technique compared to the previous month. The rising trend can be attributed to an increase in the number of DLLs being distributed and the fact that some samples use two or more malicious DLLs. LummaC2 is primarily distributed in EXE format, while ACRStealer is primarily distributed using the DLL SideLoading technique. Infostealers distributed using the DLL SideLoading technique are created by modifying only a portion of the legitimate DLL file into malicious code, making them look almost identical to the original file. As a result, many security solutions may classify these files as legitimate, so caution is advised.
Trend #1
– Sideloading Using Multiple DLLs
Previously, the distribution of malware using the DLL Sideloading technique involved using a legitimate EXE file and a malicious DLL. In September, cases were found where multiple malicious DLLs were used in the distribution. The first malicious DLL is automatically loaded and executed when a legitimate EXE is run, and it loads another malicious DLL. The second DLL that is loaded decrypts an encrypted data file like before and executes a shellcode. As threat actors are continuously coming up with new distribution methods, caution is advised.
Figure 5. Structure of a new DLL Sideloading type
Trend #2
– Distributing Proxyware
The threat actor had mainly distributed Infostealer, but in September, an unusual case occurred where multiple Proxyware strains were disguised as the legitimate utility “SteamCleaner” and distributed. Proxyware is a type of malware that consumes the network resources of a victim’s PC to generate profit for threat actors. The legitimate SteamCleaner is an open-source tool for organizing the Steam client’s storage. The threat actor added the malicious code to the open-source code, built it, packed it with InnoSetup installer, and signed it with a valid certificate before distributing the malware.
Figure 7. Signature information of Proxyware malware
Upon execution, it goes through the installation process and creates and executes the Proxyware malware disguised as SteamCleaner in the “C:\Program Files\SteamCleaner\” directory.
Figure 6. Screen after malware execution
The threat actor then registered a task scheduler, installed Node.js, and downloaded and executed a malicious script. For more information, please refer to the AhnLab SEcurity intelligence Center (ASEC) Notes below.
- [AhnLab SEcurity intelligence Center (ASEC) Notes] Proxyware Malware Disguised as Steam Cleanup Tool
For more information on statistics not covered in this summary, statistics on the disguise target companies, statistics on the original file names, distribution statistics, product detection statistics, and information on Infostealers via phishing emails, please refer to the full ATIP report.
※ For more information, please refer to the attachment.
