FOCUS MODE
EXTRACT IOC
Threat Research

February 2025 Infostealer Trend Report

Ahnlab
February 2025 Infostealer Trend Report
This report discusses the statistics, trends, and methodologies of distributing Infostealer malware, particularly focusing on techniques such as SEO-Poisoning and disguising malware as illegal programs. Threat actors have adapted their strategies to utilize various distribution platforms, which has been analyzed by AhnLab Security Intelligence Center. The report outlines notable trends in the distribution of specific variants and highlights the importance of recognizing these threats. Affected: Infostealer malware, AhnLab Security Intelligence Center, users downloading software

Keypoints :

  • AhnLab SEC collects and analyzes malware using automated systems.
  • Infostealers are being disguised as cracks and keygens to evade detection.
  • SEO-Poisoning is a primary method used for distributing Infostealers.
  • Recent notable Infostealers include Vidar, Cryptbot, Redline, Raccoon, and StealC.
  • Threat actors share distribution articles on legitimate websites and forums.
  • Malware is being distributed through file hosting services and cloud platforms like Box.
  • Distribution of DLL-SideLoading disguises has shifted to single EXE files.
  • Vidar Infostealer is making a comeback in distributions, utilizing a new execution type that needs user interaction.
  • Recent statistics and trends indicate a significant increase in malware distribution since the second quarter of the year.

MITRE Techniques :

  • Malware Distribution (T1203) – Malware is distributed disguised as cracks and keygens to bypass detection.
  • Credential Dumping (T1003) – Extracting stored credentials as part of the Infostealer functionality.
  • Phishing (T1566) – Infostealers are linked to phishing attempts through malicious email campaigns.
  • Command and Control (T1071) – The use of C2 servers for controlling malware operations and data exfiltration.
  • Exploitation of Public-Facing Application (T1190) – Distribution tactics involve legitimate websites which serve as platforms for malware distribution.

Indicator of Compromise :

  • [MD5] 0db4a9645adaa4fc99fb4605c30e62ce
  • [MD5] 153114eb60fde3e126fd45c49f083b3a
  • [MD5] 1e3cc411b33dc1191513bada2e240d87
  • [MD5] 23822c931f6e5738646b2def6e79f926
  • [MD5] 258456997a399f614dd773f1e2aee9c9
  • [Domain] www.zeniore.xyz

Full Story: https://asec.ahnlab.com/en/86766/

Tags: EXFILTRATION, CREDENTIAL, PHISHING, PASSWORD, CLOUD, COLLECTION, EMAIL