Cybercriminals Widely Using Acreed Infostealer with C2 through Steam Platform

Researchers have uncovered 18 distinct samples of Acreed, an advanced infostealer rapidly gaining favor among cybercriminal networks.

Acreed’s architecture is notable for its innovative command-and-control (C2) retrieval mechanism, which leverages both the BNB Smartchain Testnet and the Steam gaming platform as dead drop resolvers.

By embedding encrypted instructions within blockchain transactions and legitimate Steam API calls, threat actors ensure resilient C2 communications that blend seamlessly with benign network traffic.

Innovative C2 Retrieval via Blockchain and Steam

Acreed’s loader component initiates stealthy calls to the BNB Smartchain Testnet, querying specific smart contract addresses where the actor stores fragments of encrypted C2 domain names. Each fragment is concatenated and decrypted locally using XOR keys hardcoded in the malware.

If blockchain responses fail or data integrity checks do not match expected patterns, the loader pivots to the Steam Web API. It fetches user profile data, specifically profile descriptions and comments, where identical encrypted fragments are hidden.

This redundancy complicates takedown efforts, forcing defenders to monitor both a public blockchain testnet and a high-volume gaming service. The use of dual dead-drop resolvers represents a significant escalation in C2 resiliency and stealth.

Infrastructure Overlap with Vidar Ecosystem

Reverse engineering across the 18 samples revealed three active C2 domains following XOR decryption:

• acreed-update[.]tech
• smart-chain-node[.]info
• steam-data-hub[.]com

Network tracing of steam-data-hub[.]com uncovered a real IP address associated with hosting infrastructure known to serve Vidar malware. This overlap suggests either shared infrastructure among distinct criminal groups or a deliberate evolution of Vidar resources under a new branding.

The latter theory implies a well-funded, organized actor capable of rapidly repurposing existing assets to evade detection.

Intrusion analysts warn that such infrastructure reuse enables quick redeployment of malicious services and increases the likelihood of lateral movement across compromised networks.

Cryptocurrency Theft and CTI Response

Acreed’s JavaScript payloads include sophisticated modules for cryptocurrency theft. These scripts enumerate installed wallet applications and browser extensions, such as MetaMask, Phantom, and Coinbase Wallet, and inject code that intercepts private key exports or JSON-RPC requests.

Once credentials are exfiltrated, automated withdrawal routines execute transactions on targeted blockchain networks, draining victims’ funds. The use of JS-based exfiltration allows the malware to operate within the browser context, complicating detection by traditional endpoint defenses.

Intrinsec’s Cyber Threat Intelligence (CTI) service played a crucial role in exposing Acreed’s capabilities.

By correlating SOC and MDR telemetry with reverse-engineering outputs, Intrinsec analysts produced actionable intelligence feeds, including YARA rules for detection, domain and IP blocklists, and behavioral indicators tied to Steam API patterns.

The CTI offering extends to risk anticipation feeds that integrate with EDR, XDR, and SIEM platforms, as well as digital risk monitoring for data leak detection, external asset security monitoring (EASM), and brand protection.

These services empower organizations to proactively adapt defenses against increasingly sophisticated infostealers and mitigate potential compromises at early stages.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Cybercriminals Widely Using Acreed Infostealer with C2 through Steam Platform appeared first on Cyber Security News.