Endgame Harvesting: Inside ACRStealer's Modern Infrastructure
Essential information
- Published
- 17/03/2026 10:55
- Modified
- 17/03/2026 11:18
- Tags
- 2026-03-17 acrstealer browser exploitation c2 communication data theft evasion gaming-malware hijackloader lummastealer maas syscalls
- Related entities
- 3 observables, 7 techniques (mitre), 3 malware, 4 others
Description
ACRStealer, a sophisticated Malware as a Service, has evolved with enhanced evasion techniques and C2 communication strategies. It employs low-level syscalls and AFD for stealthy operations, bypassing user-mode hooks. The malware uses layered communication, establishing raw TCP connections followed by SSL/TLS over SSPI. ACRStealer's data-stealing capabilities are extensive, targeting browsers, Steam accounts, and performing victim fingerprinting. It can execute secondary payloads and capture screenshots. The malware shows an active infection pattern in countries like the USA, Mongolia, and Germany, communicating with specific IP addresses and domains. Recent developments indicate a shift to LummaStealer, suggesting ongoing threat actor activities targeting gaming platforms and social media.