June 2026 Infostealer Trend Report

June 2026 Infostealer Trend Report

Contents


This report summarizes the distribution channels, number of Infostealers, number of detections, and information on companies disguised by new Infostealers collected during June 2026. The collected samples were obtained through an automated data collection system, an email honeypot system, and an automated malware C2 analysis system operated by ASEC (AhnLab SEcurity intelligence Center).

Purpose and Scope


This report was prepared to track trends in the number of Infostealer malware distributions, spear-phishing techniques, and distribution methods. Malware categories were classified based on the results of the AhnLab sandbox and automated analysis systems, as well as detection names. Statistics on companies used to disguise themselves were extracted based on the version and certificate information used in the malware; these companies are not involved in the malware distribution.

Key Statistics


In cases where malware was disguised as illegal software such as cracks and keygens, the use of SEO poisoning to rank highly in search results was observed. In June, Remus, ACRStealer, LummaC2, and Vidar were distributed. Distribution sites were predominantly Mediafire, Mega, and cloud storage-type sites, and Microsoft Corporation was the most frequently impersonated company.

Approximately 84.5% Of the attacks involved EXE files, while DLL side-loading accounted for about 15.5%. For DLL side-loading, files such as python37.Dll, LcMgr.Dll, and python315.Dll were used. In macOS environments, methods such as ClickFix (prompting users to copy malicious commands and run them in Terminal) and the download of malicious Bash scripts were used; four such scripts were collected in June.

One variant of the macOS distribution method evolved to dynamically obtain C2 addresses by querying Polygon smart contracts (blockchain contract Data), and it was characterized by creating a .Plist file to run as a LaunchAgent.

In email-based distribution cases, AgentTesla was identified in emails disguised as messages from a Japanese materials company, while DarkCloud was found in emails posing as messages from an Indian electronics components manufacturer. Both lured recipients into opening executable files through compressed attachments and used SMTP to transmit information.

Conclusion


Infostealer threat groups continue to spread among enterprises and individual users through various means, including disguising themselves as Infostealers that are disguised as cracks, exploiting legitimate websites, conducting email campaigns, and targeting macOS systems. Since stolen information can be traded on the dark web or used for secondary attacks, it is essential to exercise caution with untrusted links and Attachments, avoid using illegal software, be mindful of browser storage features, encrypt important documents, change passwords periodically, use two-factor authentication (2FA), and keep security software up to date.

MD5

02c7d78e6c5816f1df250f995a776aa2
03663f2f81da94cd204837e4bde772ff
03e99ceede013fe1b50a0e06c1f0a02c
042db31ea5443d78aeee714556813a28
04d91c168c7617c38199983858cfbb4e
FQDN

apdhlhs3[.]xyz
bduwih8[.]pro
johncon[.]my