May 2026 Infostealer Trend Report
Content
This report summarizes the distribution channels, number of infostealers, number of detections, target companies, and execution types of new infostealers collected during the month of May 2026. The collected samples were analyzed based on data from AhnLab SEcurity intelligence Center (ASEC)’s automated data collection system, Email Honeypot system, automated malware C2 analysis system, and AhnLab product diagnostic logs.
Purpose and Scope
This report covers infostealers disguised as illegal software such as cracks and keygens, infostealers distributed via emails, the current status of macOS distribution, and major variants and C2 information from May. According to the report, relevant information and C2 data can be viewed in real time via AhnLab TIP (Threat Intelligence Platform, hereinafter ATIP) and the ATIP Real-Time IOC Service.
Key Statistics
- In cases of distribution disguised as cracks, the infostealers ACRStealer, Remus, and LummaC2 were identified.
- Distribution domains identified included Mediafire.com, springsidefile.s3.us-east-1.amazonaws.com, good26.s3.us-east-1.amazonaws.com, and mega.nz.
- Microsoft Corporation was the most frequently impersonated company, followed by Auslogics, NVIDIA Corporation, Virtual Holding Resources, LLC, and Adobe Inc.
- In terms of execution types, EXE files accounted for approximately 78.9%, while DLL side-loading (a technique that loads a malicious DLL alongside a legitimate EXE) accounted for approximately 21.1%.
- The DLLs used for DLL side-loading included libvlccore.dll, VulcanMessage5.dll, LcMgr.dll, and SDL2.dll.
- In the macOS environment, ClickFix (a method that tricks users into copying and executing malicious commands in the Terminal) and malicious Bash script downloads were used; 142 scripts and 12 C2 domains were collected in May.
- The Remus infostealer began to be distributed on a large scale, accounting for 36% of all malware distribution via this method during the month of May.
- In email-based distribution cases, AgentTesla and DarkCloud were identified. AgentTesla can transmit data via FTP, Telegram, SMTP, and other methods; this particular sample used SMTP. DarkCloud can collect document files, keylogging data, email client information, browser information, screenshots, and cryptocurrency wallet information.
- In the overall infostealer statistics, LummaC2 was the most prevalent, while Vidar, AgentTesla, and ACRStealer were actively distributed.
Conclusion
Infostealer threat groups are using various distribution methods to target individuals and businesses, and the stolen information may be traded on the dark web or used for secondary attacks. The report concludes that users should exercise caution when opening links or attachments from untrusted websites and emails, using cracked software or keygens, or relying on browser account-saving features. It also emphasizes the need to use file encryption for important documents, change passwords periodically, use two-factor authentication (2FA), and keep security software up to date.
