ACRStealer Campaign Uses Trojanized Installers, Stolen ASUS Certificate, and Shared C2 Infrastructure
Breakglass Intelligence reported that ACRStealer is running an active credential-theft operation through multiple delivery chains, including a compromised .edu WordPress site and a trojanized Chris-PC RAM Booster installer. The malware uses a four-stage infection flow that progresses from PowerShell or installer-based execution to Go and .NET loaders, then decrypts and injects shellcode in memory. Researchers said newer samples introduced a previously undocumented .NET loader, CoreHubManager, a new 16-byte XOR key, AES-256-CBC shellcode decryption, and Heaven’s Gate WoW64 transitions to run x64 code from a 32-bit process. Payloads were also signed with a stolen ASUSTeK EV code-signing certificate, allowing binaries such as sunwukongs.exe to better evade SmartScreen and other trust controls.
Once installed, ACRStealer steals credentials, browser data, DPAPI-protected secrets, Windows Hello NGC keys, smart card certificates, Azure AD OAuth tokens, wallets, documents, and tokens from more than 200 applications, then exfiltrates the data over HTTPS. The malware also uses custom AFD socket operations and dead-drop resolvers hosted on Steam, Google Docs/Slides, and Telegram pages to retrieve command-and-control infrastructure. Breakglass mapped 17 C2 IPs in the newer cluster and 9 live C2 servers in the earlier campaign, with the larger set hosted by VDSINA, pointing to a concentrated infrastructure footprint. Researchers also found overlap with SectopRAT, AmateraStealer, NetSupport RAT, OffLoader, HIjackLoader/IDATLoader, and ClickFix/FakeCAPTCHA chains, and said ACRStealer has been rebranded as AmateraStealer and marketed as a malware-as-a-service offering.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
SonicWall details ACRStealer as a Golang credential and wallet stealer
On 2026-04-14, SonicWall published a technical analysis describing ACRStealer as a stealthy Golang-based malware threat used to steal credentials and cryptocurrency wallet data. The report adds new technical characterization beyond the previously documented March 2026 campaign and infrastructure findings.
Researchers report ACRStealer variant with syscall evasion and TLS C2
By 2026-03-16, reporting described an ACRStealer variant that used syscall-based evasion techniques, communicated with command-and-control over TLS, and was capable of deploying secondary payloads. The reference indicates a meaningful evolution in the malware's tradecraft beyond the earlier March 2026 campaign and infrastructure findings.
Researchers map 17 ACRStealer C2 servers to a single VDSINA-hosted cluster
In the March 2026 follow-on analysis, researchers identified 17 command-and-control IPs used by the newer ACRStealer campaign and found they were all hosted by VDSINA. The report also stated that ACRStealer had been rebranded as AmateraStealer and was being marketed as a malware-as-a-service offering.
Fresh ACRStealer sample appears on MalwareBazaar via trojanized RAM Booster installer
On 2026-03-09, a new ACRStealer sample surfaced on MalwareBazaar masquerading as a Chris-PC RAM Booster installer. Researchers said the sample used a revised four-stage chain with a new XOR key, a previously undocumented .NET loader called CoreHubManager, AES-256-CBC shellcode decryption, and Heaven's Gate transitions for in-memory execution.
Breakglass documents active ACRStealer campaign and nine live C2 servers
By 2026-03-08, researchers reported an active ACRStealer (Arechclient2) credential-theft campaign using a four-stage PowerShell-to-Go infection chain, a compromised .edu WordPress site for payload hosting, and nine confirmed live command-and-control servers. The analysis also found abuse of a stolen ASUSTeK EV code-signing certificate and infrastructure overlap with SectopRAT and other malware families.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
ACRStealer The Silent Golang Threat Behind Credential and Wallet Theft
sonicwall.com
Open sourceAcreed Infostealer in 2026
webz.io
Open sourceACRStealer Variant Deploys Syscall Evasion, TLS C2, Secondary Payloads
gbhackers.com
Open sourceACRStealer Returns: Trojanized RAM Booster Installer Delivers 4-Stage Loader with Heaven's Gate, AES-256 Shellcode Injection, and 17 C2 Servers on a Single Bulletproof Host - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceACRStealer Dissected: Decrypted Kill Chain, Stolen ASUS EV Certificate, and 9 Live C2 Servers Operating a Multi-Family Stealer Network - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Amatera Stealer and NetSupport RAT Delivered via ClickFix Social Engineering Campaigns
Cybersecurity researchers have identified a surge in malware campaigns leveraging the ClickFix social engineering technique to deploy the Amatera Stealer and NetSupport RAT. These campaigns trick users into executing malicious commands through the Windows Run dialog, often under the guise of completing a reCAPTCHA verification on fraudulent phishing pages. The infection chain typically involves the use of `mshta.exe` to launch a PowerShell script, which downloads a .NET payload from a file hosting service. The Amatera Stealer DLL, packed with PureCrypter, is injected into the `MSBuild.exe` process, enabling the malware to harvest sensitive data from crypto-wallets, browsers, messaging apps, FTP clients, and email services. Advanced evasion techniques, such as WoW64 SysCalls and in-memory AMSI patching, are employed to bypass endpoint detection and response (EDR) and antivirus solutions. The Amatera Stealer, considered an evolution of the ACR Stealer, is available as a malware-as-a-service (MaaS) offering, with subscription plans ranging from $199 to $1,499. The campaigns also deploy NetSupport RAT for remote access and further exploitation. Notably, the PowerShell scripts used by Amatera check for the presence of valuable files or domain membership before proceeding, indicating a targeted approach. These findings highlight the increasing sophistication of social engineering and malware delivery tactics, as well as the growing threat posed by MaaS platforms to organizations and individuals alike.
Mar 21, 2026
Malware Campaigns Using Fake Installers and Multi-Stage Loaders to Steal Credentials and Enable Remote Control
Multiple active malware campaigns are using **trojanized installers** and social engineering—rather than software vulnerabilities—to gain initial access and then deploy credential theft or remote-control capabilities. Intel 471 reported a new Android banking trojan dubbed **FvncBot** targeting Polish mobile banking users by impersonating an *mBank* “security” app; the dropper prompts installation of an additional “Play” component and then abuses **Android Accessibility Services** for persistence and control, enabling **keylogging**, **screen capture**, and hidden **VNC-style remote interaction** to facilitate fraudulent transactions. Separately, Cyderes described an ongoing, large-scale piracy-channel campaign where cracked game installers hide behind a legitimate-looking **Ren’Py** launcher tracked as **RenEngine**, which decrypts and launches subsequent stages and introduces **HijackLoader** via techniques including **DLL side-loading** and module stomping; observed final payloads include **ACR Stealer** (and in some cases **Vidar**) to exfiltrate browser credentials, cookies, and crypto wallet data. Cybereason detailed a different installer-themed operation in Chinese-speaking communities delivering **ValleyRat/Winos 4.0** attributed to **Silver Fox APT**, notable for using the rare **“PoolParty Variant 7”** process injection (abusing Windows I/O completion ports and `ZwSetIoCompletion()` after duplicating a handle from `Explorer.exe`) plus a strengthened watchdog mechanism via injection into `Explorer.exe` and `UserAccountBroker.exe` to maintain persistence.
Mar 21, 2026
DeerStealer Delivered via Fake Password Manager in Malicious WiX Burn Installer
A malicious WiX Burn bootstrapper branded as **"Antonomasia"** and signed to appear as publisher **"Cyme"** was used to deliver the **DeerStealer** malware-as-a-service infostealer while showing victims a legitimate copy of **Active@ Password Changer** as a decoy. Analysis found the bundle extracted 15 files from an embedded CAB archive, with the malicious chain centered on `Bichromate.dll`, an AES-CBC-encrypted payload stored as `jri`, and an XOR-obfuscated C2 configuration in `yodpxub`. `Bichromate.dll` masqueraded as Adobe's `CCMNative.dll` by repurposing Adobe Generic Download Engine code, then decrypted the configuration and payload and launched DeerStealer entirely in memory to reduce on-disk artifacts. Once executed, DeerStealer harvested credentials, cookies, browser session data, messaging and VPN information, FTP configurations, screenshots, and clipboard contents, while also targeting more than 50 browsers, over 14 cryptocurrency wallets, and roughly 800 browser extensions. The malware also enabled hidden VNC access and keylogging, and established persistence through an `HKCU\Run` key named `AppVTemplate` and scheduled tasks including `zceWriter`, `dyApp`, and `Pluginsecurity_dbg`. It communicated over HTTPS with Cloudflare-fronted command-and-control domains including `telluricaphelion[.]com` and `loadinnnhr[.]today`, and researchers assessed the operation as a social-engineering campaign likely spread through malvertising by an affiliate in the Rugmi/DeerStealer ecosystem.
May 24, 2026