By rssfeeds-admin 
Leveraging its robust infrastructure including proprietary malware collection, email honeypots, and real-time C2 monitoring the company analyzed distribution trends showing that Infostealer threats overwhelmingly relied on cracked software as their primary disguise, while continuously experimenting with distribution and evasion techniques.
New Variants Drive Persistent Malware Threats
During June 2025, the use of software cracks, keygens, and so-called “free” tool downloads remained the leading method of Infostealer delivery.
SEO poisoning techniques were widely deployed, allowing malicious posts masquerading as software cracks to appear prominently in internet searches.
According to ASEC Report, its automated systems proactively collected the majority of these newly emerging strains before they were even flagged on mainstream threat intelligence platforms like VirusTotal.
Although the total quantity of Infostealer samples distributed using these methods decreased substantially compared to prior months due mainly to a drop in LummaC2 activity the overall threat remains significant, especially with the introduction and rapid proliferation of other variants.
A notable surge in modified ACRStealer samples characterized this period, marking a significant shift in the threat landscape.
ACRStealer, recognized as a Malware-as-a-Service (MaaS) offering since its debut last year, has recently exhibited advanced defense evasion and anti-analysis abilities.
The June variant uses NT functions for C2 communication, HTTP host domain spoofing to bypass detection, and techniques such as ntdll manual mapping and Heaven’s Gate for additional stealth.
The sophistication of these approaches, combined with the high distribution volume, underscores the growing capability and adaptability of Infostealer operators.
Additional details and technical deep-dives on these variants can be found in ASEC’s threat intelligence notes.
Attackers Exploit Legitimate Sites
Threat actors have also refined their use of legitimate forums, Q&A pages, company comment sections, and open bulletin boards to host malware-laden posts.
By piggybacking on the trust of these platforms, they achieve wider distribution while evading conventional security controls.
Two main distribution formats prevailed: standalone executable files (94.4% of cases) and the DLL-SideLoading technique (5.6%).
The latter involves pairing a malicious DLL with a legitimate executable; when the exe is run, it triggers the embedded malicious code.
While the use of DLL-SideLoading has diminished, ASEC cautions that these DLLs crafted by subtly altering genuine DLL code can be especially challenging for conventional detection tools to flag as malicious.
Further complicating the detection landscape, June also saw the emergence of social engineering schemes leveraging installer GUIs and overlay attacks.
In one campaign, executing the malware launched an installer window. If a victim clicked ‘Install,’ the malware would copy itself into system directories and set persistent autostart registry entries.
On subsequent reboots, an uncontrollable browser overlay would appear, falsely insisting a browser update was required.
Victims were redirected to seemingly legitimate download pages, though at the time of analysis, the payload was a benign 7z installer a tactic presumably designed to lull users into a false sense of security until a malicious payload is deployed.
Attackers also attempted to evade detection by embedding decompression passwords in image files within password-protected archives, frustrating automated analysis platforms with automatic password-extraction capabilities.
According to AhnLab, defenders should update detection strategies to track these latest trends and leverage real-time indicators of compromise (IOCs) for optimal protection.
Indicators of Compromise (IOC) Table
| Attribute | Value |
|---|---|
| MD5 Hash | 01542f203172d51d65bb37ce2cc2d813 |
| MD5 Hash | 0896888ab8c9278da66138d2a0c5e713 |
| MD5 Hash | 08a441a738a7a323abb97c576f619a22 |
| MD5 Hash | 09825dd40ba8ba3c1ce240e844d650a8 |
| MD5 Hash | 0b6eafed70b9b9f2ad5f8ef3047e0f91 |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
The post Infostealers Hidden in Cracked Apps Dominate June 2025 Attack Landscape appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.