An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack, according to researchers.
ACRStealer is often distributed via the tried and tested method of download as cracks and keygens, which are used in software piracy. The infostealer has been around since mid-2024 (as a beta test), but it’s only really taken off in 2025. ACRStealer is capable of:
- Identifying which antivirus solution is on a device
- Stealing crypto wallets and login credentials
- Stealing browser information
- Harvesting File Transfer Protocol (FTP) credentials
- Reading all text files
With that kind of information, cybercriminals can go after your cryptocurrency and other funds. With the capture of usernames and passwords from web browsers, attackers can access your accounts, including email, social media, and financial services.
They may even gather enough personal data to be used for identity theft or sold on the dark web.
What stands out in the recently-found ACRStealer variants is the way they communicate with the command and control (C2) server—a computer which is used to send commands to systems compromised by malware and receive stolen data from a target network. Rather than hard-coding the IP address in the malware, they chose to use a method called Dead Drop Resolver (DDR), where the malware contacts a legitimate platform like Google Docs or Steam to read what the C2 domain is.
This is good for the cybercriminals as it means they can easily change the domain if one gets discontinued, seized, or blocked. All they need to do is update the Google Doc.
And outgoing calls to docs.google.com will not easily trigger an alarm, so it helps in staying under the radar.
Stay safe from the ACRStealer
Like many other information stealers, ARCStealer is operated under the Malware-as-a-Service (MaaS) model, where criminals rent out the malware and the infrastructure to other criminals. That makes it hard to know exactly how to defend yourself.
However, there are some things you can do:
- Stay away from websites offering cracks and keygens
- Download software from the official publisher wherever possible
- Don’t click on links in unsolicited communications (email, texts, DMs, etc)
- Don’t open unverified attachments
- Use multi-factor authentication (MFA) wherever you can, so even if cybercriminals steal your login details they won’t be able to get into your account
- Use an active and up-to-date anti-malware solution.
Malwarebytes recognizes new variants of ACRStealer by behavior, which will result in the detection name of Malware.AI.{ID-number}.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
