The cybersecurity landscape in June 2025 was dominated by a surge of Infostealer malware masked as cracked or key-generated software, catapulting this tactic to the month’s most prevalent attack vector.
Fraudulent download portals advertising “free” versions of popular tools lured victims through aggressive search-engine-optimization (SEO) poisoning, ensuring that malicious links ranked above legitimate sources and evaded routine scrutiny.
.webp)
Once a user clicked a download banner, a password-protected archive—its credentials sometimes hidden inside an image rather than a text file—delivered the payload, complicating automated sandbox analysis.
ASEC researchers noted that threat actors posted these download links across reputable forums, Q&A boards, and even political organizations’ websites, bypassing traditional perimeter filtering.
Although the long-dominant LummaC2 family receded, new builds of Rhadamanthys, Vidar, StealC, and especially a re-engineered ACRStealer filled the vacuum.
The total volume of collected samples fell compared with May, yet ASEC’s automated collection platform intercepted most binaries days before they appeared on VirusTotal, highlighting an accelerating detection–distribution arms race.
The economic impact is considerable. Infostealers exfiltrate browser cookies, cryptocurrency wallets, and corporate credentials within seconds, facilitating follow-on ransomware or business-email-compromise attacks.
Enterprises also face reputational damage as compromised employee devices become launchpads for lateral movement.
With 94.4% of June samples packaged as standalone executables and 5.6% relying on DLL side-loading, defenders must scrutinize both portable binaries and seemingly benign file pairs masquerading inside software cracks.
Infection Mechanism
Execution begins immediately after the victim unzips the archive and launches the fake installer.
For EXE-only campaigns, the binary drops itself into %ProgramFiles(x86)%\Windows NT\TableTextService\svchost.exe and establishes persistence by writing a Run key—an approach that blends into legitimate Windows services.
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" ^
/v TableTextServiceStartup ^
/t REG_SZ ^
/d "%ProgramFiles(x86)%\Windows NT\TableTextService\svchost.exe" ^
/fDLL side-loading variants place a modified DLL next to a genuine signed executable; Windows’ default search order then silently loads the malicious library, preserving the host file’s signature and evading application-whitelisting engines.
Once resident, the newest ACRStealer samples manually map ntdll.dll, invoke Heaven’s Gate to switch to 64-bit mode on 32-bit processes, and disguise outbound traffic by spoofing host headers that point to microsoft.com while tunneling data to attacker-controlled domains.
.webp)
These anti-analysis tricks frustrate heuristic detection, allowing the malware to siphon credentials and session tokens before many endpoint solutions trigger.
Network defenders should monitor for anomalous connections to known cloud-storage services immediately after new executable launches, deploy YARA rules targeting password-protected archives shipped via search-engine links, and validate unsigned binaries in Windows NT subdirectories.
Given the rapid appearance of obfuscated ACRStealer builds and the proven efficacy of SEO poisoning, incident-response teams must prioritize web-filtering policies that demote crack-related content and accelerate sandboxing of any archive whose password is revealed only upon extraction.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
