The ACRStealer malware, classified as an infostealer camouflaged as illegal software such as cracks and keygens, has witnessed a significant surge in its distribution since the start of 2025. Initially, the malware was disseminated in limited quantities in mid-2024. However, it has now garnered momentum, with the activity levels in February matching those of January, indicating a noticeable upward trajectory. Security experts from the AhnLab Security Intelligence Center (ASEC) have pinpointed its utilization of Google Docs as an intermediary command-and-control (C2) platform, a distinctive strategy that distinguishes it from other infostealers.
ACRStealer makes use of an intricate method called Dead Drop Resolver (DDR), exploiting legitimate web platforms like Google Docs to cloak its malicious activities. Cybercriminals encode the actual C2 domain using Base64 and embed it within specific pages on platforms such as Google Docs Forms and Presentations. The malware accesses these pages, decodes the information, and retrieves the genuine C2 address to carry out malicious actions. This intermediary C2 technique has also been noted in other malware variants like Vidar and LummaC2. Unlike conventional methods, ACRStealer displays adaptability by constantly changing the platforms and locations where C2 strings are incorporated. For example, while earlier versions concealed these strings within visible areas on Steam pages, recent samples hide them within metadata fields such as “summary,” making them accessible solely through the page source. This adaptability implies that threat actors will persist in exploiting diverse platforms for intermediary C2 operations.
Once operational, ACRStealer fetches configuration data from its C2 server using a hardcoded UUID format. This configuration file specifies the categories of data to be exfiltrated, including browser credentials, cryptocurrency wallets, FTP server information, email client data, VPN details, password manager files, and more. The stolen data is compressed into ZIP files before being transmitted to the C2 server. The malware targets a wide array of programs and file types, including popular browsers (e.g., Chrome, Firefox), cryptocurrency wallets (e.g., MetaMask, Trust Wallet), remote access tools (e.g., AnyDesk), and password managers (e.g., LastPass). Moreover, it extends its reach to browser extensions and plugins associated with cryptocurrency and authentication services.
The escalating distribution of ACRStealer underscores its burgeoning threat to users globally. By leveraging trusted platforms like Google Docs for malicious intents, the malware eludes conventional detection mechanisms. Users are strongly advised to steer clear of downloading illegal software from unreliable sources and maintain vigilance against dubious online activities. As cybercriminals refine their strategies, organizations must implement proactive measures to effectively detect and mitigate such threats.
In conclusion, the surge in ACRStealer’s distribution and its advanced C2 communication methods highlight the evolving landscape of cybersecurity threats. Awareness, caution, and robust security measures are crucial in safeguarding against the ever-changing tactics employed by cybercriminals. Stay informed, stay vigilant, and stay protected in the digital realm.