ACRStealer Malware - New Variant Uses Advanced Evasion Tactics
Basically, a new version of malware is tricking gamers and stealing their login info more stealthily.
A new variant of ACRStealer is making waves with advanced evasion tactics. Targeting gamers, it steals sensitive login information while evading detection. Stay alert and protect your data!
What Happened
A new variant of ACRStealer has surfaced, showcasing upgraded capabilities that enhance its stealth and danger levels. Initially reported by Proofpoint in early 2025, this version is a rebranded iteration of the Amatera Stealer. It introduces advanced features such as low-level syscall evasion, encrypted command and control (C2) communication over TLS, and the ability to deliver secondary payloads. This evolution marks a significant leap in the malware’s development, indicating an actively maintained threat.
ACRStealer is marketed as Malware-as-a-Service (MaaS), allowing various threat actors to rent it for their malicious campaigns. In this operation, it is delivered as a final payload through HijackLoader, a sophisticated loader associated with the PiviGames distribution platform. Users on gaming platforms like Steam or Discord are lured into clicking malicious links that lead to a ZIP archive containing the disguised malware.
Who's Being Targeted
The updated ACRStealer variant targets a wide array of sensitive data, including browser credentials, session cookies, and login details from multiple browsers. Notably, it now also aims for Steam gaming account credentials, a target not previously seen in earlier ACRStealer campaigns. Infections have been confirmed in countries such as the United States, Mongolia, and Germany, with all samples communicating back to a specific C2 address.
The malware collects extensive system information, including machine GUID, username, and architecture, before packaging everything into an in-memory ZIP archive. This data is then sent to the C2 server, making the malware's data-stealing capabilities particularly concerning for users, especially gamers who may be unaware of the threat.
Signs of Infection
One of the most alarming features of this variant is its ability to evade detection at the API level. Instead of using common Win32 APIs, it locates ntdll.dll through the Process Environment Block (PEB) and executes system calls at the kernel level. This clever method allows the malware to bypass user-mode hooks that many security products rely on.
On the network side, ACRStealer avoids standard Winsock libraries, manually constructing TCP connections and disguising its traffic as normal HTTPS activity. This approach not only enhances its stealth but also complicates detection efforts by security teams. The malware can send data in either plaintext or AES-256 encrypted form, depending on its configuration, making it resilient against disruptions.
How to Protect Yourself
To safeguard against this evolving threat, security teams should monitor for unusual low-level API usage, particularly involving NtCreateFile and AFD-based network connections. Blocking known C2 indicators and enabling behavioral detection for process hollowing via rundll32.exe is crucial. Users are advised to refrain from downloading files from unverified links shared on gaming platforms or social media.
By staying vigilant and employing robust security measures, users can better protect themselves from the risks posed by this advanced malware variant.
Cyber Security News