Malware

Acreed

Acreed is an information-stealing malware family that gained rapid traction among cybercriminals in 2025. It is described as an infostealer and, in one source, as a newly discovered spyware toolkit spreading at a high rate over the internet. Reporting states it was first advertised on Russian Market in February 2025 by a user named "Nu####ez" and is assessed to be a private project. Multiple sources indicate Acreed quickly rose to prominence in the infostealer ecosystem: by Q1 2025 it had surpassed many established stealers, ranked second only to Lumma in some reporting, and was listed among the top infostealers alongside Lumma, Rhadamanthys, Vidar, and StealC. Flashpoint reported Acreed was among the top five infostealers by infected hosts in 2025, and other reporting described it as the third most prevalent infostealer, with links to Vidar. The provided content does not include specific technical details on Acreed’s internal functionality, infection chain, targeted sectors, or concrete indicators of compromise.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Credential Access

3 techniques

T1110.004Credential StuffingEvidence1

“...test stolen credentials across multiple services, and adjust tactics based on failed attempts without human input.” / “stolen credentials could be tested against thousands of endpoints simultaneously, including corporate VPNs, SaaS providers, and cloud services…”

T1539Steal Web Session CookieEvidence1

“Attackers are using stolen session cookies to authenticate as legitimate users, bypassing traditional perimeter defenses…”

T1555Credentials from Password StoresEvidence1

“Infostealers infected 11.1 million machines in 2025, producing a stockpile of 3.3 billion stolen credentials, session cookies, cloud tokens…”

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

help net securityNews

Mar 12, 2026

Agentic attack chains advance as infostealers flood criminal markets - Help Net Security

An infostealer listed among the most active by infected hosts in 2025.

sherpa intelligenceNews

Nov 3, 2025

What'd I Miss? InfoSec Weekend News Roundup for October 31 - November 2, 2025

A newly discovered spyware toolkit that spreads rapidly via emails disguised as genuine messages or software updates, silently installing itself on compromised machines.

the hacker newsNews

Oct 13, 2025

⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More

Information stealer malware gaining popularity in 2025, used to collect credentials and sensitive data.

the hacker newsNews

Oct 3, 2025

Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads

An information stealer mentioned as a more recent MaaS stealer in the same ecosystem as Rhadamanthys.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.