The August 2025 Infostealer Trend Report highlights evolving tactics and distribution methods of infostealer malware, focusing on variants such as LummaC2, ACRStealer, and Rhadamanthys. Infostealers are malicious programs designed to covertly harvest sensitive information from infected systems, including credentials, personal data, and system details. Traditionally distributed via SEO poisoning—where attackers manipulate search engine results to lure victims to malicious sites—these malware families have shifted their distribution channels from personal blogs to legitimate websites, effectively bypassing search engine restrictions and increasing infection rates. The primary delivery format remains executable files (EXE) at 89.7%, with a significant minority (10.3%) using DLL SideLoading, a technique where malicious DLLs are loaded by legitimate applications to evade detection. Two notable trends are emphasized: first, mass distribution through the Slack Marketplace, exploiting the platform's ecosystem to spread malware widely; second, ACRStealer's domain masquerading technique, which involves impersonating security company domains to evade detection and increase trustworthiness in the eyes of victims and security tools. The malware employs multiple advanced techniques aligned with MITRE ATT&CK tactics such as T1140 (Deobfuscate/Decode Files or Information), T1190 (Exploit Public-Facing Application), T1055 (Process Injection), T1059 (Command and Scripting Interpreter), T1102 (Web Service), T1547.001 (Registry Run Keys/Startup Folder), T1588.002 (Obtain Capabilities: Acquire Infrastructure), T1027 (Obfuscated Files or Information), and T1573 (Encrypted Channel). These techniques facilitate stealthy persistence, lateral movement, and data exfiltration. The report does not indicate known active exploits in the wild but provides numerous file hashes for detection and blocking. Overall, this threat represents a sophisticated and adaptive infostealer campaign leveraging social engineering, supply chain abuse, and advanced evasion tactics to compromise victims.

For European organizations, the impact of these infostealers can be significant. The theft of credentials and sensitive corporate data can lead to financial losses, intellectual property theft, and reputational damage. The use of Slack Marketplace for mass distribution is particularly concerning given Slack's widespread adoption in European enterprises for collaboration. Compromise via this channel could enable attackers to infiltrate multiple organizations rapidly. The domain masquerading technique targeting security company domains may undermine trust in legitimate security communications and tools, complicating incident response and detection efforts. Additionally, DLL SideLoading and process injection techniques increase the difficulty of detection by traditional antivirus and endpoint protection solutions, potentially allowing prolonged undetected access. The evolving distribution methods and obfuscation techniques suggest that standard perimeter defenses may be insufficient, increasing the risk of successful breaches. Regulatory implications under GDPR also heighten the stakes, as data breaches involving personal data can result in substantial fines and legal consequences. The medium severity rating reflects the moderate ease of exploitation combined with potentially high confidentiality and integrity impacts if successful.

European organizations should implement a multi-layered defense strategy tailored to the specific tactics observed in this campaign. First, enhance endpoint detection and response (EDR) capabilities to identify and block DLL SideLoading and process injection behaviors. Deploy behavioral analytics to detect anomalous Slack Marketplace app activities and restrict installation of unvetted third-party apps. Implement strict application whitelisting and code-signing policies to prevent execution of unauthorized EXE files. Conduct regular threat hunting using the provided malware hashes and indicators of compromise (IOCs) to identify potential infections early. Strengthen web filtering and DNS security to mitigate SEO poisoning risks by blocking access to known malicious domains and URLs. Educate employees on the risks of downloading cracks or unauthorized software, emphasizing the dangers of SEO-poisoned search results. Monitor network traffic for encrypted channels and unusual outbound connections that may indicate data exfiltration. Finally, maintain up-to-date incident response plans that include scenarios involving supply chain abuse and domain masquerading to ensure rapid containment and remediation.