216.73.216.215

Endgame Harvesting: Inside ACRStealer's Modern Infrastructure

· Published 17/03/2026 10:55 · Modified 17/03/2026 11:18

Export JSON

Essential information

Published
17/03/2026 10:55
Modified
17/03/2026 11:18
Tags
2026-03-17 acrstealer browser exploitation c2 communication data theft evasion gaming-malware hijackloader lummastealer maas syscalls
Related entities
3 observables, 7 techniques (mitre), 3 malware, 4 others

Description

, a sophisticated Malware as a Service, has evolved with enhanced techniques and strategies. It employs low-level and AFD for stealthy operations, bypassing user-mode hooks. The malware uses layered communication, establishing raw TCP connections followed by SSL/TLS over SSPI. 's data-stealing capabilities are extensive, targeting browsers, Steam accounts, and performing victim fingerprinting. It can execute secondary payloads and capture screenshots. The malware shows an active infection pattern in countries like the USA, Mongolia, and Germany, communicating with specific IP addresses and domains. Recent developments indicate a shift to , suggesting ongoing threat actor activities targeting gaming platforms and social media.

External references