May 2026 Infostealer Trend Report

June 18, 2026, 8:35 p.m.

Description

This analysis covers infostealer distribution trends observed during May 2026, based on automated collection systems and diagnostic logs. Distribution occurred primarily through illegal software disguised as cracks and keygens, as well as email campaigns. ACRStealer, Remus, and LummaC2 were most prevalent, with distribution via domains including Mediafire and AWS S3 buckets. Microsoft was the most impersonated company, followed by Auslogics and NVIDIA. EXE files represented 78.9% of execution types, while DLL side-loading accounted for 21.1%. macOS environments saw ClickFix techniques and malicious Bash scripts, with 142 scripts and 12 C2 domains identified. Email campaigns distributed AgentTesla and DarkCloud. Remus showed significant growth, comprising 36% of distributions. LummaC2 remained the most prevalent overall variant.

External References

https://otx.alienvault.com/pulse/6a340681b8799a4a3ef56500
https://asec.ahnlab.com/en/94172/
Tags
lummac2
infostealer
credential theft
vidar
clickfix
dll side-loading
agenttesla
acrstealer
darkcloud
remus
2026-06-18

Date

  • Created: June 18, 2026, 2:53 p.m.
  • Published: June 18, 2026, 2:53 p.m.
  • Modified: June 18, 2026, 8:35 p.m.

Indicators

  • 46e32500cd24395dd140293758e72fe8671217f5f5b0307858fc118a125aab8c
  • 41f81ed33379889b557d7a35d71e347caf6d428df2bf88cf2ed347064fb8de9f
  • 74877ea7d1112b1f7e6949815c81c5083b739adf3d5322dd480abe93c0657656
Download all indicators here!

Attack Patterns

  • AgentTesla
  • Remus
  • LummaC2
  • DarkCloud
  • Vidar
  • ACRStealer

Additional Informations

  • ciuzdaw.shop
  • dafkov.shop
  • cloxaa.shop
  • comples.biz
  • ablackb.shop