Acreed: The New Infostealer Using BNB Smart Chain and Steam Profiles for Stealthy C2

The cybercriminal underground is witnessing a dramatic shift with the emergence of Acreed, a new infostealer that is rapidly gaining traction in Russian-speaking forums. According to Intrinsec’s latest report, “we see the rise of Acreed logs in Russian-speaking forums. Some of our clients are already victims of this new infostealer that will maybe overtake the number one stealer Lumma in the future.”

For much of 2024, Lumma dominated the infostealer market. However, its global takedown in May 2025—when Europol and Microsoft seized more than 1,300 domains—created a power vacuum. “Statistics of log offerings shows that threat actors began to move away from Lumma around April 2025, when the surge of Acreed began,” Intrinsec explains.

Although still largely controlled by a single actor known as “Nu####ez,” Acreed has already captured 17% of the underground market, positioning itself just behind Rhadamanthys. Analysts warn that its private nature makes it more elusive but also more dangerous if it expands into public distribution.

Intrinsec researchers identified 18 Acreed samples and uncovered innovative C2 domain retrieval methods. Remarkably, the malware leverages both the BNB Smart Chain Testnet and even Steam profiles as dead drop resolvers. As the report details, “the mechanism of C2 domain retrieval uses the BNB Smartchain Testnet and the Steam platform as dead drop resolvers.”

Acreed logs are intentionally minimal, containing only passwords, cookies, and autofill data—omitting browser history or downloads. This “small footprint,” as Intrinsec notes, represents “a significant increase in discretion as we cannot locate the origin of the infection.”

Beyond credentials, Acreed is aggressively targeting digital assets. Intrinsec highlights that its JavaScript modules act as “clipper” malware, stealing cryptocurrency by replacing wallet addresses in real time. The researchers warn: “The script can identify wallets in QR codes and replace them by creating a new QR code that contains the threat actor’s wallet.”

Supported wallets include popular options such as MetaMask, Coinbase, Binance, Phantom, and Ronin, making Acreed especially dangerous for users active in DeFi and NFT markets.

Perhaps most concerning is Acreed’s overlap with the notorious Vidar stealer ecosystem. Intrinsec’s infrastructure analysis found that the C2 domain windowsupdateorg[.]live—disguised to mimic Microsoft’s update service—resolves to IPs within the same ranges previously tied to Vidar’s management servers.

The report further uncovers connections to ProManaged LLC, a hosting provider registered in Belize with Russian ties and a history of offering “bulletproof” services. As Intrinsec concludes, “our infrastructure analysis shows that it is also integrated in an existing ecosystem that overlaps with Vidar. It is therefore likely that this malware will spread more and more in the cybercrime community.”

Acreed represents a new breed of infostealer—stealthier, more resilient, and deeply embedded in blockchain-based infrastructure. Its rise signals a shift in the cybercrime economy, where decentralized platforms are increasingly weaponized for persistence and control.

Security professionals should prepare for Acreed’s continued growth, as its evolution suggests it could soon rival or even surpass the dominance Lumma once held.

Related Posts:

• Premium Panel Phishing Toolkit Exposed: Two Years of Global Attacks
• Europol & Microsoft Lead Global Takedown of Lumma Stealer, World’s Largest Infostealer
• Steam to End Support for 32-Bit Windows 10
• Lumma Stealer Resurfaces After Takedown: New Stealth Tactics Target Users via Fake Cracks, CAPTCHAs & GitHub