Cracked Apps Delivering Infostealers Identified as Leading Attack Vector in June 2025

The AhnLab Security Intelligence Center (ASEC) published a thorough analysis in June 2025 that identified infostealer malware masquerading as keygens and cracked software as a primary attack vector.

This malware uses advanced search engine optimization (SEO) poisoning to elevate malicious distribution sites in search results.

ASEC’s automated malware collection systems, including crack monitoring, email honeypots, and C2 (Command and Control) analysis tools, have enabled proactive threat mitigation by gathering samples in real-time, extracting C2 indicators, and disseminating them via the ATIP IOC service.

This infrastructure not only automates maliciousness determination but also integrates with platforms like VirusTotal for broader threat intelligence sharing, allowing security teams to block C2 communications preemptively.

Automated Intelligence

The report highlights a notable shift in infostealer diversity, with LummaC2 maintaining high distribution volumes but facing competition from variants like Rhadamanthys, ACRStealer, Vidar, and StealC, particularly a newly modified ACRStealer that surged due to its enhanced evasion techniques.

Annual distribution data reveals a sharp decline in June’s infostealer volumes compared to prior months, attributed largely to reduced LummaC2 activity, though ASEC’s systems collected most samples before their VirusTotal availability, underscoring the efficacy of automated responses.

Threat actors are increasingly exploiting legitimate websites such as forums, Q&A boards, and company comment sections for posting deceptive links, bypassing traditional security perimeters.

Evasion Tactics Revealed

Execution methods predominantly favor direct EXE formats (94.4% of cases), with a smaller fraction (5.6%) employing DLL-SideLoading, where malicious DLLs are paired with benign executables to exploit dynamic linking for code injection.

This technique, involving minimal modifications to legitimate DLLs, often evades detection by mimicking original file signatures, highlighting the need for advanced behavioral analysis in security solutions.

Emerging trends in June include the proliferation of a modified ACRStealer variant, operating as a Malware-as-a-Service (MaaS) since 2024, which incorporates NT function calls for C2 communication, HTTP host domain spoofing to mask traffic, and anti-analysis mechanisms like ntdll manual mapping and Heaven’s Gate for cross-architecture evasion.

Detailed in ASEC Notes, this variant’s active modifications demand heightened vigilance.

Additionally, a novel infostealer variant deviates from standard patterns by presenting a fake installer interface that copies itself to “C:Program Files (x86)Windows NTTableTextServicesvchost.exe” and registers auto-execution via HKCUSoftwareMicrosoftWindowsCurrentVersionRun [TableTextServiceStartup].

Upon reboot, it overlays uncontrollable windows on browsers, coercing users into downloading purported updates from phishing sites mimicking legitimate software like Opera, potentially delivering further payloads under conditional triggers.

Another evasion innovation involves embedding decompression passwords in image files within password-protected archives, thwarting automated security tools reliant on text-based password extraction.

The report urges organizations to reference ATIP for comprehensive statistics on disguise targets, industry impacts, phishing integrations, and detected products, emphasizing the evolving sophistication of infostealers in cracked app ecosystems.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.