New Malware Campaign Uses Cracked Software to Spread Lumma and ACR Stealer

Avatar
Cybersecurity researchers are warning of a new campaign that leverages cracked versions of software as a lure to distribute information stealers like Lumma and ACR Stealer. The AhnLab Security Intelligence Center (ASEC) said it has observed a spike in the distribution volume of ACR Stealer since January 2025. A notable aspect of the stealer malware is the use of a technique called dead drop

Cybersecurity researchers are warning of a new campaign that leverages cracked versions of software as a lure to distribute information stealers like Lumma and ACR Stealer.

The AhnLab Security Intelligence Center (ASEC) said it has observed a spike in the distribution volume of ACR Stealer since January 2025.

A notable aspect of the stealer malware is the use of a technique called dead drop resolver to extract the actual command-and-control (C2) server. This includes relying on legitimate services like Steam, Telegram’s Telegraph, Google Forms, and Google Slides.

“Threat actors enter the actual C2 domain in Base64 encoding on a specific page,” ASEC said. “The malware accesses this page, parses the string, and obtains the actual C2 domain address to perform malicious behaviors.”

ACR Stealer, previously distributed via Hijack Loader malware, is capable of harvesting a wide range of information from compromised systems, including files, web browser data, and cryptocurrency wallet extensions.

The development comes as ASEC revealed another campaign that uses files with the extension “MSC,” which can be executed by the Microsoft Management Console (MMC), to deliver the Rhadamanthys stealer malware.

“There are two types of MSC malware: one exploits the vulnerability of apds.dll (CVE-2024-43572), and the other executes the ‘command’ command using Console Taskpad,” the South Korean company said.

“The MSC file is disguised as an MS Word document. “When the ‘Open’ button is clicked, it downloads and executes a PowerShell script from an external source. The downloaded PowerShell script contains an EXE file (Rhadamanthys).”

CVE-2024-43572, also called GrimResource, was first documented by the Elastic Security Labs in June 2024 as having been exploited by malicious actors as a zero-day. It was patched by Microsoft in October 2024.

Malware campaigns have also been observed exploiting chat support platforms like Zendesk, masquerading as customers to trick unsuspecting support agents into downloading a stealer called Zhong Stealer.

According to a recent report published by Hudson Rock, over 30,000,000 computers have been infected by information stealers in the “past few years,” leading to the theft of corporate credentials and session cookies that could then be sold by cybercriminals on underground forums to other actors for profit.

The buyers could weaponize the access afforded by these credentials to stage post-exploitation actions of their own, leading to severe risks. These developments serve to highlight the role played by stealer malware as an initial access vector that provides a foothold to sensitive corporate environments.

“For as little as $10 per log (computer), cybercriminals can purchase stolen data from employees working in classified defense and military sectors,” Hudson Rock said. “Infostealer intelligence isn’t just about detecting who’s infected — it’s about understanding the full network of compromised credentials and third-party risks.”

Over the past year, threat actors have also been ramping up efforts to spread a variety of malware families, including stealers and remote access trojans (RATs), through a technique called ClickFix that often entails redirecting users to fake CAPTCHA verification pages instructing them to copy and execute nefarious PowerShell commands.

One such payload dropped is I2PRAT, which employs the I2P anonymization network to anonymize its final C2 server.

“The malware is an advanced threat composed of multiple layers, each incorporating sophisticated mechanisms,” Sekoia said. “The use of an anonymization network complicates tracking and hinders the identification of the threat’s magnitude and spread in the wild.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

⚡ THN Weekly Recap: From $1.5B Crypto Heist to AI Misuse & Apple’s Data Dilemma

Next Post

North Korea’s Lazarus hackers behind $1.4 billion crypto theft from Bybit, researchers say

Related Posts

How Long Does It Take Hackers to Crack Modern Hashing Algorithms?

While passwords remain the first line of defense for protecting user accounts against unauthorized access, the methods for creating strong passwords and protecting them are continually evolving. For example, NIST password recommendations are now prioritizing password length over complexity. Hashing, however, remains a non-negotiable. Even long secure passphrases should be hashed to prevent them
Avatar
Read More

AI in Cybersecurity: What’s Effective and What’s Not – Insights from 200 Experts

Curious about the buzz around AI in cybersecurity? Wonder if it's just a shiny new toy in the tech world or a serious game changer? Let's unpack this together in a not-to-be-missed webinar that goes beyond the hype to explore the real impact of AI on cybersecurity. Join Ravid Circus, a seasoned pro in cybersecurity and AI, as we peel back the layers of AI in cybersecurity through a revealing
Avatar
Read More

DoJ Indicts Three Russians for Operating Crypto Mixers Used in Cybercrime Laundering

The U.S. Department of Justice (DoJ) on Friday indicted three Russian nationals for their alleged involvement in operating the cryptocurrency mixing services Blender.io and Sinbad.io. Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik were arrested on December 1, 2024, in coordination with the Netherlands' Financial Intelligence and Investigative Service, Finland's National Bureau of
Avatar
Read More