August 2025 Infostealer Trend Report

Sept. 16, 2025, 2:40 p.m.

Description

This analysis examines Infostealer trends in August 2025, focusing on distribution volume, methods, and disguises. AhnLab's automated systems collect and analyze malware, providing real-time IOC services. Infostealers, often disguised as cracks, are distributed through SEO poisoning. Notable variants include LummaC2, ACRStealer, and Rhadamanthys. Distribution methods evolved from personal blogs to legitimate websites, bypassing search engine restrictions. Malware is primarily distributed as EXE files (89.7%) or through DLL-SideLoading (10.3%). Two significant trends emerged: mass distribution via Slack Marketplace and ACRStealer's domain masquerading technique, which now targets security company domains to evade detection.

External References

https://asec.ahnlab.com/en/90154
https://otx.alienvault.com/pulse/68c968be19f98a976a9f43b3
Tags
lummac2
rhadamanthys
infostealer
seo poisoning
dll-sideloading
acrstealer
slack
2025-09-16
domain masquerading

Date

  • Created: Sept. 16, 2025, 1:40 p.m.
  • Published: Sept. 16, 2025, 1:40 p.m.
  • Modified: Sept. 16, 2025, 2:40 p.m.

Attack Patterns

  • ACRStealer
  • LummaC2
  • Rhadamanthys