A sophisticated new version of ACRStealer has been identified, showcasing enhanced evasion techniques that elevate its threat level significantly. Initially uncovered by Proofpoint in early 2025 as an evolved form of Amatera Stealer, this variant boasts syscall evasion, encrypted command-and-control (C2) communication, and the potential to deliver secondary payloads. These improvements signal a concerted effort to advance the malware’s capabilities.
Malware-as-a-Service Model
ACRStealer operates as a Malware-as-a-Service (MaaS), allowing various threat actors to lease it for malicious campaigns. In its latest deployment, it is delivered as a final payload through HijackLoader, associated with the PiviGames distribution platform. The attack initiates when users on platforms like Steam, Discord, or Reddit are enticed to click on a malicious link, leading them to a redirection chain that ultimately downloads a malware-laden ZIP file disguised as legitimate software.
Technical Advancements in Evasion
This ACRStealer variant, discovered by G Data analysts during a HijackLoader investigation, showcases several technical enhancements. Unlike its predecessors that used a Dead Drop Resolver for C2 server addresses, this version employs native Windows kernel interfaces and encrypted channels, complicating detection efforts. Active infections have been noted in the United States, Mongolia, and Germany, with all instances reporting to a specific C2 server.
The variant’s data exfiltration is extensive, targeting browser credentials, session cookies, and gaming account information. It saves stolen data to a specific file before transmission to the C2 server. Additionally, it performs comprehensive system profiling, gathering data such as machine GUID and system architecture, which it compresses into an in-memory archive for transmission.
Network Communication and Detection Avoidance
Notably, this variant circumvents standard API monitoring by resolving necessary functions manually and executing system calls at the kernel level, bypassing user-mode hooks. On the network side, it constructs a raw TCP IPv4 socket, avoiding the Winsock library, and uses Microsoft’s SSPI framework for TLS handshakes, camouflaging its traffic as normal HTTPS activity.
Security measures should include monitoring low-level API usage and blocking identified C2 indicators. Users are advised against downloading files from unverified sources, particularly on gaming platforms. The evolving nature of this threat underscores the importance of robust security practices and awareness.
Stay updated by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for more immediate updates.
