March 2026 Infostealer Trend Report
Description.
this report analyzes Infostealer distribution trends and cases collected during the month of March 2026. It is based on data collected through ASEC’s automated collection and analysis system and ATIP’s real-time IOC service.
Purpose and Scope.
the purpose of the analysis is to identify trends in the volume, distribution methods, and disguising techniques. the scope includes Infostealer samples and associated C2 information from Windows and macOS environments.
Key statistics.
windows samples are approximately 82.6% EXE file format and 17.4% DLL side-loading. in macOS distribution, 472 Bash scripts and 117 C2 domains were collected in March. aCRStealer, Vidar, and LummaC2 were identified as the main malware families.
Key Techniques and Practices.
threat actors disguise illegal software such as cracks and keygens and utilize SEO poisoning. increased use of injecting posts into legitimate message boards, forums, and administrative WordPress. DLL side-loading is characterized by modifications to look similar to legitimate DLLs to evade detection. the macOS distribution uses the ClickFix method to dynamically add malicious commands to the clipboard to trigger terminal execution, and the mutation rate is extremely fast, with sample hashes changing on a minute-to-hour basis. An ACRStealer distribution was identified that exploits the Ren’Py game package to decrypt and execute encrypted data.
Conclusion.
the diversification of distribution techniques and platform-specific characteristics increase the difficulty of detection and blocking. it is important to respond quickly through automatic collection and analysis and providing real-time IOCs. Monitoring and validation procedures for techniques such as DLL side-loading and macOS ClickFix need to be strengthened.
