Hackers are now using Google Docs and other trusted platforms to secretly control malware that steals passwords, chat logs, and sensitive data – without users ever noticing.
Infostealer malware is particularly dangerous, as, once deployed, it runs discreetly in the background, making detection especially challenging.
This type of malicious software is specifically designed to extract sensitive information, such as passwords, credit card numbers, browsing history, and other valuable information from an infected system and transfer it to cybercriminals.
Infostealers typically infiltrate systems via phishing emails, malicious attachments, or compromised websites. Often, infostealers are disguised as illegal programs such as cracks and keygens.
The LummaC2 infostealer has been a champion in the field. Operating as malware-as-a-service since at least August 2022, it has often been distributed to steal data from browsers, including credentials, cookies, autofill, and browser extension data.
Recently, AhnLab Security Intelligence Center (ASEC) has identified that, in addition to Lumma, the ACRStealer infostealer has seen an increase in distribution.
First introduced in mid-2024, ACR Stealer is an information stealer sold as malware-as-a-service (MaaS) on Russian-speaking cybercrime forums. It’s capable of harvesting system information, stored credentials, web browser cookies, cryptocurrency wallets, and configuration files for various programs.
Unlike other infostealers, ACRStealer takes a more flexible approach to using its intermediary. To avoid detection, instead of hardcoding the actual command-and-control (C2) address directly in the malware, it stores and distributes it using legitimate platforms.
ACRStealer has been noticed using platforms such as Google Docs. Attackers encode the real C2 domain in Base64, and the malware retrieves and decodes it to carry out malicious actions. This method is called the Dead Drop Resolver (DDR).
The full list of services that ACRStealer has used as an intermediary C2 are the following:
- Steam
- telegra.ph
- Google Docs (Presentation)
- Google Docs (Form)
The malware steals a wide range of information, including:
- Browser data
- Text files
- Text files
- FTP credentials
- Chat logs
- Emails
- Remote access program details
- VPN information
- Password managers
- Databases
- Browser extension data
A new wave of infostealer attacks
Infostealers have been a headache to cybersecurity specialists for a while. According to the Israeli cybersecurity firm Hudson Rock, hundreds of computers within the US Army, Navy, and major defense contractors – such as Lockheed Martin, Boeing, and Honeywell – are actively infected with infostealer malware.
Despite investing billions in classified intelligence networks and advanced cybersecurity measures, military credentials and system logs can be purchased for as little as $10 per computer.
Hudson Rock discovered that 398 employees at Honeywell, a major US defense and aerospace contractor, were infected with infostealer malware. Additionally, data is being leaked by dozens of employees from Boeing (66), Lockheed Martin (55), Leidos (55), and other defense contractors.
An investigation by Palo Alto Networks' Unit 42 revealed that infostealers, often sold as malware-as-a-service, are the most widely exploited threat for Mac and MacBook users. Just three prevalent malware families dominate the market.
Your email address will not be published. Required fields are markedmarked