Cybersecurity researchers have uncovered a significant escalation in the activity of ACRStealer, a potent infostealer malware that has begun exploiting legitimate platforms like Google Docs as part of its command-and-control (C2) infrastructure.
Initially identified in mid-2024, ACRStealer has seen a surge in distribution during 2025, leveraging its Malware-as-a-Service (MaaS) model to enable widespread deployment by cybercriminals.
The malware is primarily distributed through phishing emails, malicious attachments, compromised websites, and pirated software disguised as cracks and keygens.
Unlike traditional infostealers that hardcode their C2 addresses, ACRStealer employs a sophisticated technique known as Dead Drop Resolver (DDR).
This method encodes the C2 domain in Base64 format and stores it on trusted platforms such as Google Docs, Steam, and telegra.ph.
The malware retrieves and decodes this information to establish communication with its actual C2 server, allowing attackers to maintain flexibility and evade detection by security systems.
Expanding Capabilities and Data Exfiltration Targets
Once deployed on an infected system, ACRStealer is capable of harvesting a wide range of sensitive data.
This includes browser credentials, cryptocurrency wallets, text files, FTP server details, chat logs, email client data, remote access program information, password manager credentials, VPN configurations, and even database details.
The stolen information is compressed into ZIP files and transmitted to the attacker’s server for exploitation or sale on the dark web.
The malware’s flexibility extends to its ability to target multiple platforms for intermediary C2 operations.
For instance, it utilizes Google Docs Forms and Presentations to store encoded C2 domains.
According to ASEC, this approach not only disguises malicious activity but also allows attackers to dynamically change their infrastructure by simply updating the hosted content on these platforms.
Challenges in Detection
ACRStealer’s use of legitimate services like Google Docs for intermediary C2 operations presents significant challenges for cybersecurity defenses.
Outgoing requests to trusted domains such as docs.google.com are less likely to trigger alarms in traditional monitoring systems.
This stealthy behavior underscores the growing trend of cybercriminals weaponizing widely used platforms to bypass detection mechanisms.
To mitigate the risks posed by ACRStealer and similar threats, experts recommend several proactive measures:
- Avoid downloading software from untrusted sources or using pirated programs.
- Implement multi-factor authentication (MFA) wherever possible.
- Regularly update anti-malware solutions capable of detecting behavioral anomalies.
- Exercise caution with unsolicited emails and attachments.
The rise of ACRStealer highlights the evolving tactics employed by cybercriminals to exploit legitimate platforms for malicious purposes.
Its MaaS model ensures that even low-skill attackers can deploy this malware effectively.
As distribution volumes continue to increase, particularly via trusted services like Google Docs, organizations must remain vigilant and adopt robust security practices to counteract these advanced threats.
