November 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on Infostealer malware collected and analyzed during the month of November 2025, including distribution volume, distribution channels, and disguising techniques. The following is a summary of the report. 1) Data Source and Collection Method The AhnLab SEcurity intelligence Center (ASEC)
Distribution of Backdoor Malware with Legitimate Signature, Disguised as Steam Cleanup Tool
Multiple cases have been reported where malware disguised as the “SteamCleaner” tool for cleaning the popular game platform Steam client is being distributed. When a system is infected with this malware, a malicious Node.js script resides on the user’s PC and communicates with the C2 server periodically, allowing threat actors
August 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on Infostealer, including distribution volume, distribution methods, and disguises based on the data collected and analyzed in August 2025. The following is a summary of the original report. 1) Data Source and Collection Methods AhnLab SEcurity intelligence Center (ASEC) operates
Distribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project
AhnLab SEcurity intelligence Center (ASEC) has recently discovered the massive distribution of SmartLoader malware through GitHub repositories. These repositories are carefully crafted to appear as legitimate projects and are attracting user interest by focusing on topics such as game cheats, software cracks, and automation tools. Each repository contains a README
New Variant of ACRStealer Actively Distributed with Modifications
ACRStealer is an Infostealer that has been distributed since last year. It began to be actively distributed from early this year. AhnLab SEcurity intelligence Center (ASEC) has previously covered ACRStealer, which utilizes Google Docs and Steam as a C2 via a Dead Drop Resolver (DDR) technique. [AhnLab SEcurity intelligence
Ransomware Disguised as Password Cracker (Extension Changed to .NS1419)
The AhnLab SEcurity intelligence Center (ASEC) recently discovered ransomware being distributed disguised a password cracker tool. Such tools are typically used in brute force attacks. Brute force attacks involve by trying every possible combination to find the correct password. Attackers repeatedly attempt to breach a system’s authentication procedure to steal
Atomic Stealer Malware Disguised as Crack Program (macOS)
AhnLab SEcurity intelligence Center (ASEC) has discovered the Atomic Stealer malware being distributed disguised as the Evernote Crack program. Atomic Stealer is an information-stealing malware for macOS. It steals data such as browser information, system keychain, wallet, and system information. It is mainly distributed through installation files such as pkg
ViperSoftX Malware Distributed by Arabic-Speaking Threat Actor
AhnLab SEcurity intelligence Center (ASEC) uncovered that attackers, suspected to be Arabic speakers, have been distributing ViperSoftX malware targeting Korean victims since April 1, 2025. ViperSoftX is typically spread through cracked software or torrents, masquerading as legitimate programs. The main characteristic of ViperSoftX is that it operates as a PowerShell
LummaC2 Malware Distributed Disguised as Total Commander Crack
AhnLab SEcurity intelligence Center (ASEC) has discovered the LummaC2 malware being distributed disguised as the Total Commander tool. Total Commander is a file manager for Windows that supports various file formats. It offers convenient file management features such as copy and move features, advanced search using strings within files, folder
ACRStealer Infostealer Exploiting Google Docs as C2
AhnLab SEcurity intelligence Center (ASEC) monitors the Infostealer malware disguised as illegal programs such as cracks and keygens being distributed, and publishes related trends and changes through the Ahnlab TIP and ASEC Blog posts. While the majority of the malware distributed in this manner has been the LummaC2 Infostealer, the
