April 2026 Infostealer Trend Report
Content
this report summarizes the trends of new Infostealers collected during the month of April 2026, including distribution channels, malware distribution, malware quantity, detection quantity, and disguised targets. the data collected is based on ASEC’s Automated Data Collection System, Email Honeypot System, and AhnLab product detection results.
Purpose and Scope
the report covers Infostealers Disguised as Cracks and Keygens, Infostealers Distributed via Emails, Infostealers Distributed via macOS, and overall Infostealer Statistics. Information was collected and analyzed through AhnLab’s homegrown systems, Email Honeypot, Malware C2 Automated Analysis System, and ATIP Real-Time IOC Service.
Key Statistics
- infostealers Disguised as Cracks included ACRStealer, LummaC2, and Remus Infostealer in April. distribution was done through SEO poisoning (targeting the top of search results), file hosting services, cloud storage, Mega, Mediafire, etc.
- the following domains were identified in quantity: springsidefile.s3.us-east-1.amazonaws.com 404, mega.nz 270, good26.s3.us-east-1.amazonaws.com 204, mediafire.com 185, getshared.com 18, and com.s3.us-east-2.amazonaws.com 11.
- the impersonated organizations were Microsoft Corporation in 6 cases, Sysinternals – http://www.sysinternals.com in 4 cases, JetBrains s.r.o. in 3 cases, Cyber Holding Partners LLC in 3 cases, and Seiko Epson Corporation in 3 cases.
- the execution type was approximately 85.9% EXE and 14.1% DLL side-loading. The malicious DLLs used for DLL side-loading were python35.dll in 18 cases, python36.dll in 11 cases, python315.dll in 7 cases, python310.dll in 2 cases, and borlndmm.dll in 1 case.
- in the macOS environment, the ClickFix technique (copying malicious commands and tricking the terminal into executing them) and downloading malicious Bash scripts were used. in April, 800 scripts and 33 C2 domains were collected.
- the new Infostealer Remus has a structure of receiving settings from C2 sequentially, performing Information Theft, sending the results, and requesting additional settings. It uses the Dead Drop Resolver Technique and queries Ethereum smart contracts through https://eth.llamarpc.com. C2 uses ChaCha20 for communication, with different keys and IV locations for incoming and outgoing Data.
- At the time of Remus analysis, C2 was set up to steal mail client information, FTP client information, cryptocurrency wallet information, and txt files with a specific Path or specific content. in the final stage, the ability to download additional malware was also confirmed.
- in the email distribution cases, the emails were disguised as a Pakistan Manufacturing company and a US Manufacturing company. in the first case, AgentTesla was used, and in the second case, DarkCloud Infostealer. AgentTesla can use FTP, Telegram, SMTP, and more; in this sample, we used SMTP. DarkCloud collects document files, keylogging data, email client information, browser information, screenshots, and cryptocurrency wallet information, and our sample used SMTP.
- in the overall Infostealer Statistics, LummaC2 had the largest quantity, followed by Vidar, AgentTesla, and ACRStealer.
Conclusion
infostealer threat groups continue to target both organizations and individual users through a variety of distribution methods. information Theft can be traded on the dark web or used in secondary attacks, so it is important to beware of untrusted links and attachments, avoid using crackers and keygens, be wary of browser account saving features, keep important documents encrypted, change passwords regularly and use 2FA, and maintain up-to-date security software.
