The ACRStealer malware, an infostealer disguised as illegal software such as cracks and keygens, has seen a significant increase in its distribution since the beginning of 2025.
Initially distributed in limited volumes in mid-2024, this malware has now gained traction, with February’s activity levels matching those of January, signaling a sharp upward trend.
Security researchers from AhnLab Security Intelligence Center (ASEC) have identified its use of Google Docs as an intermediary command-and-control (C2) platform, a novel tactic that sets it apart from other infostealers.
Exploiting Google Docs for C2 Communication
ACRStealer employs a sophisticated technique known as Dead Drop Resolver (DDR), leveraging legitimate web platforms like Google Docs to mask its malicious operations.
Threat actors encode the actual C2 domain using Base64 and embed it within specific pages on platforms such as Google Docs Forms and Presentations.
%20used%20as%20an%20intermediary%20C2.webp)
The malware accesses these pages, decodes the information, and retrieves the actual C2 address to execute malicious activities.
This intermediary C2 approach has also been observed in other malware families like Vidar and LummaC2.
Unlike traditional methods, ACRStealer demonstrates flexibility by continuously altering the platforms and locations where C2 strings are embedded.
For instance, while earlier versions used visible areas on Steam pages, recent samples hide these strings within metadata fields like “summary,” making them accessible only through the page source.
This adaptability suggests that threat actors will continue to exploit diverse platforms for intermediary C2 operations.
Targeted Data and Advanced Exfiltration Techniques
Once operational, ACRStealer retrieves configuration data from its C2 server using a hardcoded UUID format.
This configuration file specifies the types of data to be exfiltrated, including browser credentials, cryptocurrency wallets, FTP server information, email client data, VPN details, password manager files, and more.
The stolen data is compressed into ZIP files before being transmitted to the C2 server.
The malware targets a wide range of programs and file types, including popular browsers (e.g., Chrome, Firefox), cryptocurrency wallets (e.g., MetaMask, Trust Wallet), remote access tools (e.g., AnyDesk), and password managers (e.g., LastPass).
Additionally, it extends its reach to browser extensions and plugins associated with cryptocurrency and authentication services.
The increasing distribution of ACRStealer highlights its growing threat to users worldwide. By exploiting trusted platforms like Google Docs for malicious purposes, the malware evades traditional detection mechanisms.
Users are strongly advised to avoid downloading illegal software from untrustworthy sources and remain vigilant against suspicious online activities.
As cybercriminals continue to refine their tactics, organizations must adopt proactive measures to detect and mitigate such threats effectively.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here