November 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on Infostealer malware collected and analyzed during the month of November 2025, including distribution volume, distribution channels, and disguising techniques. The following is a summary of the report.
1) Data Source and Collection Method
The AhnLab SEcurity intelligence Center (ASEC) operates various systems to automatically collect and distribute malware for proactive threat response. The collected malware is analyzed by an automated system to determine its maliciousness and C2 information. The relevant information is provided in real-time through the ATIP IOC service, and additional information can be found on the ATIP File Analysis Information page.
AhnLab’s internally built system
- Crack and Patch Concealment Malware Automatic Collection System
- Email Honeypot System
- Malware C2 Automatic Analysis System
ATIP Real-time IOC service
C2 and Malware Type Analysis Information
- File Analysis Information – Related Information – Contacted URLs
It is recommended to use the statistics in this report to gain an overall understanding of the distribution volume, disguise techniques, and trends of distribution of Infostealer malware. 2) Infostealer Distributed with Crack Disguise These statistics are about Infostealer malware being distributed disguised as illegal programs such as cracks and keygens. The malware is distributed using the strategy of making the distribution posts appear at the top of search engine results (SEO poisoning). ASEC has established a system that automatically collects malware distributed in this manner and analyzes their C2 information to block the C2 in real-time, as well as provide relevant information through ATIP. In November, ACRStealer, LummaC2, and Rhadamanthys Infostealer were the most distributed Infostealers.
Figure 1. Page distributing malware
Over the past year, the following chart shows the amount of malware distributed using this method. The second legend shows the amount of malware collected by AhnLab before the relevant information was available on VirusTotal. This shows that AhnLab first collected and responded to the majority of malware using the automatic collection system.
Chart 1. Quantity of Malware Distributed Annually
Previously, threat actors directly posted articles on blogs they created to distribute malware, but search engines began taking measures to prevent such malicious blogs from appearing in search results. To circumvent this, threat actors are now posting articles on legitimate websites to distribute malware. They are utilizing famous forums, Q&A pages of specific companies, free boards, comments, etc. The following image shows an example of posts for distributing malware uploaded to various communities. Posts uploaded in this manner appear at the top of search engine results and are visited by many users.
Figure 2. A distribution post on Facebook
As shown above, there are two types of execution methods for the Infostealer being distributed: one is distributed in EXE format, and the other uses the DLL Sideloading technique, which involves placing a legitimate EXE file and a malicious DLL file in the same folder so that when the legitimate EXE file is executed, the malicious DLL file is loaded. In November, approximately 22.7% of the malware samples were distributed in EXE format, while the remaining 77.3% used the DLL Sideloading technique. The percentage of malware samples using the DLL Sideloading technique significantly increased compared to the previous month. This is due to the mass distribution of a new type of downloader malware that uses the DLL Sideloading technique. DLL Sideloading malware is created by modifying only a portion of a legitimate DLL to include malicious code, so it closely resembles the original DLL. As a result, many security solutions may classify it as a legitimate file, making it crucial to remain cautious.
Trend #1
– Distributing a new type of Loader malware
Mass distribution of malware that connects to multiple fake C2s and downloads and executes malicious payloads from the C2.
Figure 3. Network behavior information
When the malware is executed, it performs numerous HTTP(s) connections, one of which involves downloading a JSON file from the actual C2. This file contains the malware’s configuration information.
Figure 4. Data downloaded from C2
In particular, when the value of [“cache”][“content”] is XOR-decrypted, a malware binary is generated and the module is loaded and executed.
Trend #2
– Distributing AURA Stealer
Since AURA Stealer was first identified in September, it has been distributed in small amounts, usually one or two times a month. However, a significant amount has been distributed since last month, so please be cautious. When executed, it injects into explorer.exe. It receives Base64-encoded configuration data from the C2, performs information theft behaviors according to this configuration, and then encodes the collected information in Base64 before transmitting it to the C2. The C2 URL format used in this process is as follows.
| https://{C2}/api/live | Check C2 Status |
| https://{C2}/api/conf | Receiving Configuration File |
| https://{C2}/api/send | Deodorization Information Sent |
Table 1. AURA Stealer C2 URL format
The malware itself also holds configuration data, which includes the C2 domain, version information, build ID, and various configuration flags. There are three C2 domains, and the malware sequentially attempts to connect to them before successfully establishing a connection.
Figure 5. AURA Stealer configuration data
For more information on statistics not covered in this summary, statistics on the disguised target companies and original file names, distribution, and products, as well as information on Infostealers through phishing emails, please refer to the full ATIP report.
