{ "Event": { "analysis": "1", "date": "2026-03-12", "extends_uuid": "", "info": "[Threat Intel] Endgame Harvesting: Inside ACRStealer's Modern Infrastructure", "protected": false, "publish_timestamp": "1774245792", "published": true, "threat_level_id": "3", "timestamp": "1774245792", "uuid": "904aac85-1abe-4629-8804-c9bb013d2fec", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6af4de", "local": false, "name": "misp-galaxy:producer=\"G DATA\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Mongolia\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003f", "local": false, "name": "rectifyq:sub-category=\"tool-profile\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Lumma Stealer\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773802814", "to_ids": false, "type": "link", "uuid": "749f2477-5f5a-4b94-ae0f-ec7e648cba10", "value": "https://blog.gdatasoftware.com/2026/03/38385-acr-stealer-infrastructure" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773802814", "to_ids": false, "type": "text", "uuid": "285079cb-13e0-4ecc-8a79-0317eae9b4b1", "value": "ACRStealer, a sophisticated Malware as a Service, has evolved with enhanced evasion techniques and C2 communication strategies. It employs low-level syscalls and AFD for stealthy operations, bypassing user-mode hooks. The malware uses layered communication, establishing raw TCP connections followed by SSL/TLS over SSPI. ACRStealer's data-stealing capabilities are extensive, targeting browsers, Steam accounts, and performing victim fingerprinting. It can execute secondary payloads and capture screenshots. The malware shows an active infection pattern in countries like the USA, Mongolia, and Germany, communicating with specific IP addresses and domains. Recent developments indicate a shift to LummaStealer, suggesting ongoing threat actor activities targeting gaming platforms and social media." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773802814", "to_ids": false, "type": "text", "uuid": "c8e32e0e-a15c-4f47-9a66-199532db4e0d", "value": "Name: Endgame Harvesting: Inside ACRStealer's Modern Infrastructure\nAuthor: AlienVault\nAdversary: \nTags: [\"hijackloader\", \"data-theft\", \"gaming-malware\", \"acrstealer\", \"evasion\", \"browser-exploitation\", \"c2-communication\", \"maas\", \"lummastealer\", \"syscalls\"]\nTgtd countries: [\"United States of America\", \"Germany\", \"Mongolia\"]\nMlwr families: [\"ACRStealer\", \"HijackLoader\", \"LummaStealer\"]\nAttack_ids: [\"T1113\", \"T1140\", \"T1555\", \"T1055\", \"T1087\", \"T1083\", \"T1057\", \"T1573\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774236041", "to_ids": true, "type": "url", "uuid": "ee1843d1-f3c0-48e3-be3d-f2211e8f05c4", "value": "https://pivigames.blog/adbuho", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774236063", "to_ids": true, "type": "domain", "uuid": "b7488674-a7e8-41a9-a70f-79facaaf98c1", "value": "playtogga.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774236085", "to_ids": true, "type": "ip-dst", "uuid": "05ef212e-cdf4-4526-b898-10f32881c7c8", "value": "157.180.40.106", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774236107", "uuid": "d2ff6cf1-953d-4fbc-ae81-b28471cbe32b", "Attribute": [ { "category": "Payload delivery", "comment": "LummaStealer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774236107", "to_ids": true, "type": "md5", "uuid": "36559b33-557b-4129-b9d0-70f6bd2b5cf3", "value": "59db3cea92ecf965c435fdc4ea204f76", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LummaStealer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774234972", "to_ids": true, "type": "sha1", "uuid": "a7edd865-badc-4d7e-8dd3-f96ad5bcb774", "value": "d8a074cb8bd8710078694d08a814a37b65572e84", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LummaStealer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774234972", "to_ids": true, "type": "sha256", "uuid": "06ad31aa-536e-4e37-908f-9d04e071dba3", "value": "f88c6e267363bf88be69e91899a35d6f054ca030e96b5d7f86915aa723fb268b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774232305", "to_ids": true, "type": "ssdeep", "uuid": "fd34217b-c20d-49c4-87e4-4309d84cd6b1", "value": "49152:9IfdCtI5GDchA0ndNNF1Qn6LLZ+17xJ/zH8hLfnl4KDcEQRw/kdUYWs17gpZzQ6Q:9IEthnid4KDcvvuacPQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774232305", "to_ids": false, "type": "size-in-bytes", "uuid": "ea441bfb-1db9-4f41-bc7d-cb6bd2a0946c", "value": "10667648" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774232305", "to_ids": true, "type": "vhash", "uuid": "a94962a9-037d-4b52-a148-25282eae8e07", "value": "017066655d1d15541az28!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774232305", "to_ids": true, "type": "filename", "uuid": "68b9b7b5-3cae-4a32-aa35-34d82a6f2f93", "value": "f88c6e267363bf88be69e91899a35d6f054ca030e96b5d7f86915aa723fb268b.exe" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774232305", "to_ids": false, "type": "text", "uuid": "0e901414-328e-4629-9856-6e6ab312c832", "value": "LummaStealer\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Tedy.KKB!MTB\nVT Total Detection:41/71\nFirst Submission:2026-01-04T21:07:10.000000+00:00\nLast Submission:2026-01-07T12:57:18.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774236129", "uuid": "cb5a396b-6c21-458f-8163-49ea24b3f12c", "Attribute": [ { "category": "Payload delivery", "comment": "ACRStealer, payload", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774236129", "to_ids": true, "type": "md5", "uuid": "187661ce-fe02-450c-a86c-5c6c9d73328b", "value": "e7f6096840fe51cfe1eb6234d63843b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ACRStealer, payload", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774234974", "to_ids": true, "type": "sha1", "uuid": "cf3eff37-e1f9-4a7c-9f9b-35d2e199db27", "value": "437bf54b6e2cdfed9431f1f69686bebd10187abc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ACRStealer, payload", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774234975", "to_ids": true, "type": "sha256", "uuid": "c84bfff3-8123-4785-aea9-3b623c0efc06", "value": "59202cb766c3034c308728c2e5770a0d074faa110ea981aa88f570eb402540d2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774232328", "to_ids": true, "type": "ssdeep", "uuid": "30b43d4a-85f3-40a4-9b57-da9af50b6d07", "value": "1536:KG94SXSVOmfchjJriSQ389cVMaZfO7cCAPAw8nwoKI4l0dkSF28z2NNvGOJ:K+0VNfchlr1bIuyAjnHy8M" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774232328", "to_ids": false, "type": "size-in-bytes", "uuid": "c868d060-396f-404f-8584-884bce42fc79", "value": "108032" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774232328", "to_ids": true, "type": "vhash", "uuid": "aa3507d0-841e-46b9-8d55-f65486bdd977", "value": "015056655d156d10b8z1d7z55z8nz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774232328", "to_ids": true, "type": "filename", "uuid": "2d2ad283-a204-41c0-b072-ff064e39f211", "value": "PAYLOAD" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774232328", "to_ids": false, "type": "text", "uuid": "648919e8-b682-46b8-baac-3201d49b0d44", "value": "ACRStealer, payload\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/ACRStealer.AC!MTB\nVT Total Detection:58/71\nFirst Submission:2026-02-11T10:23:23.000000+00:00\nLast Submission:2026-02-11T11:47:06.000000+00:00" } ] } ] } }