A new, sophisticated variant of the ACRStealer malware has been identified, exhibiting advanced evasion techniques and encrypted command-and-control (C2) communication. This evolution of ACRStealer, a malware-as-a-service (MaaS) offering, poses a significant threat to users, particularly those active on gaming platforms.
The latest iteration of ACRStealer was discovered by G Data analysts during an investigation into HijackLoader activity, a sophisticated loader associated with the PiviGames distribution platform. This advanced malware leverages low-level system call evasion to bypass security measures, employs TLS encrypted communication for its C2 infrastructure, and possesses the capability to deliver secondary payloads, indicating continuous development by its operators.
This modular threat, sold on a rental basis to various threat actors, was observed being delivered as a final payload via HijackLoader. The infection chain typically begins when unsuspecting users on platforms such as Steam, Discord, or Reddit are lured to a malicious link. This link initiates a redirection sequence, ultimately leading to the download of a ZIP archive. The archive contains the ACRStealer malware, cleverly disguised as a legitimate software installer to deceive victims.
ACRStealer Employs Advanced Syscall Evasion and TLS C2 Communication
A significant advancement in this ACRStealer variant is its method of evading detection at the API level. Instead of utilizing standard Win32 APIs that are commonly monitored by endpoint security solutions, the malware locates the ntdll.dll library by parsing the Process Environment Block (PEB). It then manually resolves necessary functions by parsing the Export Address Table (EAT), employing a modified djb2 hash algorithm that has also been observed in HijackLoader. System calls are executed through the WoW64 transition gate, routing them at the kernel level and effectively bypassing user-mode hooks that many security products rely on for detection.
On the network communication front, the ACRStealer variant eschews the conventional Winsock library. It constructs an AFD endpoint path directly and opens it using NtCreateFile, establishing a raw TCP IPv4 socket without importing the ws2_32.socket library. Upon connecting to the C2 server on port 443, the malware initiates a TLS handshake using Microsoft’s SSPI framework. It uses the hardcoded hostname playtogga.com, a legitimate soccer platform, to disguise its traffic as normal HTTPS activity, thereby evading network inspection tools.
Following the TLS handshake, data exfiltration occurs either in plaintext or using AES-256 encryption, depending on a runtime configuration flag. The malware includes basic resilience by automatically retrying communication if the C2 server becomes unreachable, waiting for two seconds before attempting again. This combination of evasion and encrypted communication makes the ACRStealer a formidable and persistent threat.
The data-stealing capabilities of this ACRStealer variant are extensive. It targets browser credentials, session cookies, and login data from multiple browsers. Notably, it also targets Steam gaming account credentials, a specific exfiltration goal not previously documented in ACRStealer campaigns. All captured sensitive information is compiled into a hardcoded file named `d5e48e78-2951-4117-b806-e4f8e626f28c.txt` before being transmitted to the C2 server. Additionally, the malware performs comprehensive system fingerprinting, gathering information such as machine GUID, username, architecture, locale, and build time. This collected data is then compressed into an in-memory ZIP archive, limited to 40MB, before its final transmission.
Interestingly, the same delivery infrastructure has been observed distributing LummaStealer in early 2026. The PiviGames redirection chain was found to lead to a Mega cloud download containing a single executable, Setup.exe, which in this instance deployed LummaStealer instead of ACRStealer. This indicates that the threat group maintains flexibility by rotating final payloads without altering its established distribution chain, making disruption through payload-specific detection alone challenging.
Confirmed active infections utilizing this advanced ACRStealer have been reported in the United States, Mongolia, and Germany, with all samples communicating with the C2 address 157.180.40.106. Security teams are advised to monitor for unusual low-level API usage, specifically NtCreateFile and AFD-based network connections. Blocking known C2 indicators, including 157.180.40.106 and playtogga.com, is also recommended. Furthermore, enabling behavioral detection for process hollowing via rundll32.exe is a crucial step in mitigating this threat. Users are strongly cautioned against downloading files from unverified links shared on gaming platforms or social media to prevent falling victim to such phishing and malware distribution schemes.
The ongoing evolution of ACRStealer and its operators’ ability to adapt their distribution methods highlight the persistent and dynamic nature of cyber threats. Organizations and individuals should remain vigilant, keep their security software updated, and practice cautious online behavior to protect against these sophisticated malware campaigns.