Ddos 
Google Docs (Presentation) used as an intermediary C2 | Source: ASEC
Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have identified a new surge in ACRStealer, a stealthy infostealer malware that is exploiting Google Docs, Steam, and Telegra.ph as intermediary command-and-control (C2) servers. This technique, known as Dead Drop Resolver (DDR), allows attackers to hide their real infrastructure behind legitimate services, making detection significantly harder.
“Unlike other Infostealers, ACRStealer shows a more flexible approach in using their intermediary C2. They are inserting C2 strings into various platforms, and the locations of these strings are also being changed continuously,” ASEC reports.
Initially discovered in June 2024, ACRStealer was quietly distributed in small volumes, mainly disguised as cracks and keygens for pirated software. However, in 2025, its distribution has increased significantly, matching the spread rate of LummaC2, another notorious infostealer.
While previously leveraging platforms like Steam and telegra.ph, ACRStealer has now shifted to using Google Docs (Forms and Presentations) as its intermediary C2.
The attackers encode the C2 domain in Base64 format and store it within these platforms. The malware retrieves and deciphers this information to establish a connection with the actual C2 server. ASEC notes, “Unlike other Infostealers, ACRStealer shows a more flexible approach in using their intermediary C2. They are inserting C2 strings into various platforms, and the locations of these strings are also being changed continuously.”
Once active, ACRStealer is designed to extract a wide range of sensitive data, including:
- Browser Data: Chrome, Edge, Firefox, Opera, Brave, and more.
- Cryptocurrency Wallets: MetaMask, Trust Wallet, Binance, Electrum, Exodus, and others.
- File Data: Text files (.txt) and other sensitive documents.
- FTP & Remote Access Credentials: FileZilla, AnyDesk, TeamViewer.
- Email & Messaging Apps: Outlook, Thunderbird, Telegram, WhatsApp, Signal.
- Password Managers: Bitwarden, 1Password, RoboForm, KeePass.
- VPN Credentials: NordVPN, AzireVPN.
The malware uses a hardcoded UUID identifier and an encrypted configuration file to define the targeted data and exfiltration parameters. Stolen information is often compressed into a ZIP file and sent to the attacker’s server.
To protect against ACRStealer and similar threats, ASEC advises users to avoid downloading files from untrusted sources and to exercise caution when installing software, especially cracks and keygens.
Related Posts:
- New Golang Backdoor Employs Telegram for Command and Control
- Microsoft Graph API Exploited for Stealthy Attacks
- Zoom Phishing Alert: Researcher Identifies New Threat Targeting Microsoft Accounts
- Google Docs and Weebly Weaponized in New Phishing Scheme
Donate