A new report from AhnLab Security Intelligence Center (ASEC) reveals a significant uptick in Infostealer malware campaigns throughout June 2025, with cybercriminals increasingly exploiting cracked applications and illegal software downloads as their primary distribution method.
Using advanced SEO poisoning tactics, threat actors have been able to push malicious posts to the top of search engine results, tricking unsuspecting users into downloading compromised files.
According to ASEC’s findings, malware disguised as cracks, keygens, and pirated software was predominantly distributed via legitimate websites, forums, and even company Q&A boards.
Notably, criminals posted malware links on well-known platforms such as company homepages and SourceForge, effectively bypassing traditional security filters.
Through automated collection and analysis systems, AhnLab tracked malware volumes and C2 (command & control) activity in real time, providing actionable threat intelligence to clients via the ATIP IOC service.
LummaC2 previously dominated the landscape, but June saw a diversification as ACRStealer, Rhadamanthys, Vidar, and StealC surfaced in larger numbers.
Particularly concerning is the emergence of a newly modified ACRStealer variant, which began circulating on a large scale from late May, leading into June.
New Infostealer Trends: Evasion and Deception Techniques
AhnLab’s data shows that a substantial 94.4% of Infostealers in June were delivered as standalone EXE files, with 5.6% utilizing DLL-SideLoading.
In this method, a malicious DLL is loaded alongside a legitimate EXE. This approach makes detection challenging, as the tainted DLLs closely resemble authentic files, sometimes allowing them to slip past conventional cybersecurity solutions.
The modified ACRStealer variant utilizes sophisticated evasion tactics, including NT function calls for C2 communication and HTTP domain spoofing.
It also integrates anti-analysis techniques like NTDLL manual mapping and Heaven’s Gate, making it harder for security analysts to dissect.
Meanwhile, another novel attack involved an installer GUI which, after execution, copied itself to a concealed Windows NT directory and registered for auto-run at system startup.
Upon the next boot, the malware displayed an uncloseable window over the user’s browser, coercing users to download what appeared to be a legitimate browser update, thereby opening the door for further infections.
In a further development, attackers are deploying compressed Infostealer payloads with passwords hidden in image files, aiming to thwart automated password recovery features used by some cybersecurity tools.
Ongoing Vigilance Urged
Though malware volumes dipped somewhat in June compared to previous months, mainly due to a fall in LummaC2 activity, analysts caution that Infostealer operations are continually evolving.
Enterprises and individuals are advised to exercise caution when downloading files, especially from unofficial sources, and to stay informed through services like ATIP for real-time threat updates.
IOCs
MD5
01542f203172d51d65bb37ce2cc2d813
0896888ab8c9278da66138d2a0c5e713
08a441a738a7a323abb97c576f619a22
 reveals a significant uptick in Infostealer malware.){kind=link}