This report analyzes infostealer malware trends observed in December 2025, focusing on the distribution, execution, and evolution of these threats. The primary malware families identified are ACRStealer, LummaC2, and Stealc, which are designed to steal sensitive user data and cryptocurrency wallets. Distribution methods have evolved from direct blog posts to more sophisticated SEO poisoning and leveraging compromised legitimate websites and forums, increasing the likelihood of victim exposure. A significant trend is the abuse of Python scripts to facilitate malware distribution, which can evade traditional detection mechanisms. Additionally, there is an emergence of cryptocurrency-stealing malware that utilizes Tor networks to anonymize command and control (C2) communications, complicating attribution and takedown efforts. Execution methods have shifted, with 65.8% of malware samples distributed as executable (EXE) files and 34.2% employing DLL sideloading techniques, which allow malware to bypass security controls by loading malicious DLLs through legitimate signed executables. Indicators of compromise include multiple IP addresses, file hashes, domains, and URLs, including Tor onion addresses, which are used for malware hosting and C2 infrastructure. The report underscores the dynamic nature of infostealer malware campaigns and the importance of adapting detection and mitigation strategies accordingly.

European organizations are at risk of data breaches involving credential theft, financial information compromise, and cryptocurrency theft due to these infostealer campaigns. The use of SEO poisoning and compromised legitimate websites increases the risk of infection for users who rely on search engines and trusted sites, potentially affecting a broad user base including corporate employees. The shift to DLL sideloading techniques can evade traditional endpoint security solutions, increasing the likelihood of successful infections. Cryptocurrency theft via Tor-based malware poses a direct financial threat, especially to organizations and individuals involved in digital asset management. The malware's ability to blend into legitimate traffic and forums complicates detection and response efforts. Disruption of business operations and reputational damage are possible if sensitive data is exfiltrated or systems are compromised. The absence of known exploits in the wild suggests the threat is currently emerging but could escalate, necessitating proactive defense measures.

1. Implement advanced web filtering and DNS security solutions to detect and block SEO poisoning and access to known malicious domains and URLs, including Tor onion services where feasible. 2. Deploy endpoint detection and response (EDR) tools capable of identifying DLL sideloading and anomalous Python script execution to detect and prevent malware execution. 3. Conduct regular threat intelligence updates incorporating the provided indicators of compromise (IOCs) such as IPs, hashes, domains, and URLs to enhance detection capabilities. 4. Educate users on the risks of phishing and suspicious downloads, emphasizing caution with links from search engine results and forums. 5. Monitor network traffic for unusual outbound connections, especially to Tor networks or suspicious C2 infrastructure. 6. Enforce application whitelisting and restrict execution of unauthorized scripts and binaries. 7. Regularly audit and patch web-facing infrastructure to prevent compromise that could facilitate malware distribution. 8. For organizations handling cryptocurrency, implement multi-factor authentication and cold storage practices to reduce theft risk. 9. Collaborate with cybersecurity information sharing groups to stay informed on evolving infostealer tactics and infrastructure.