Endgame Harvesting: Inside ACRStealer's Modern Infrastructure

March 17, 2026, 11:18 a.m.

Description

ACRStealer, a sophisticated Malware as a Service, has evolved with enhanced evasion techniques and C2 communication strategies. It employs low-level syscalls and AFD for stealthy operations, bypassing user-mode hooks. The malware uses layered communication, establishing raw TCP connections followed by SSL/TLS over SSPI. ACRStealer's data-stealing capabilities are extensive, targeting browsers, Steam accounts, and performing victim fingerprinting. It can execute secondary payloads and capture screenshots. The malware shows an active infection pattern in countries like the USA, Mongolia, and Germany, communicating with specific IP addresses and domains. Recent developments indicate a shift to LummaStealer, suggesting ongoing threat actor activities targeting gaming platforms and social media.

External References

https://otx.alienvault.com/pulse/69b933387cae1fdd763ccb36
https://blog.gdatasoftware.com/2026/03/38385-acr-stealer-infrastructure
Tags
evasion
data-theft
hijackloader
maas
lummastealer
acrstealer
c2-communication
syscalls
2026-03-17
browser-exploitation
gaming-malware

Date

  • Created: March 17, 2026, 10:55 a.m.
  • Published: March 17, 2026, 10:55 a.m.
  • Modified: March 17, 2026, 11:18 a.m.

Indicators

  • f88c6e267363bf88be69e91899a35d6f054ca030e96b5d7f86915aa723fb268b
  • 59202cb766c3034c308728c2e5770a0d074faa110ea981aa88f570eb402540d2
  • https://pivigames.blog/adbuho
Download all indicators here!

Attack Patterns

  • HijackLoader
  • ACRStealer
  • Lumma Stealer

Additional Informations

  • playtogga.com
  • Mongolia
  • Germany
  • United States of America