The June 2025 Infostealer Trend Report highlights evolving trends in the deployment and sophistication of infostealer malware families. Infostealers are malicious programs designed to covertly extract sensitive information such as credentials, cookies, autofill data, and system details from infected hosts. The report identifies several prominent malware strains active in June 2025, including LummaC2, Rhadamanthys, ACRStealer, Vidar, and StealC. Notably, a new variant of ACRStealer has emerged, employing advanced evasion techniques such as HTTP host domain spoofing to masquerade network communications and anti-analysis methods to hinder detection and reverse engineering efforts. The distribution methods have shifted away from crack-based disguises, with 94.4% of samples delivered as standalone executable (EXE) files and 5.6% leveraging DLL side-loading, a technique where malicious DLLs are loaded by legitimate applications to evade detection. A unique malware behavior was observed where an uncontrollable window prompts users to update their browsers, likely a social engineering tactic to induce user interaction or distract from malicious activity. Additionally, some malware samples now embed compression passwords within image files, an innovative evasion tactic to bypass static and heuristic detection by hiding payload decryption keys in innocuous-looking files. The malware families utilize a range of MITRE ATT&CK techniques, including credential dumping (T1555), process injection (T1055), discovery (T1082, T1087), command execution (T1059), and persistence mechanisms (T1547.001). Although no known exploits in the wild are reported, the evolving sophistication and distribution methods indicate a persistent threat landscape. The report underscores the importance of monitoring these malware families and adapting detection and mitigation strategies accordingly.

For European organizations, the proliferation of these infostealer malware strains poses significant risks to confidentiality and integrity of sensitive data, including employee credentials, financial information, and intellectual property. The use of advanced evasion techniques complicates detection, increasing the likelihood of prolonged undetected breaches. Credential theft can lead to lateral movement within networks, enabling attackers to escalate privileges and access critical systems. The DLL side-loading technique and executable-based distribution increase the attack surface, potentially impacting a wide range of endpoints. The social engineering tactic of prompting browser updates may lead to user interaction that facilitates further compromise. Given Europe's stringent data protection regulations such as GDPR, breaches involving personal data can result in severe legal and financial penalties. Additionally, the theft of corporate secrets or disruption caused by malware can affect business continuity and reputation. The medium severity rating reflects the moderate ease of exploitation combined with potentially high impact on confidentiality and operational integrity if infections are successful.

European organizations should implement multi-layered defenses tailored to the evolving tactics observed in this campaign. Specific recommendations include: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting DLL side-loading and process injection behaviors. 2) Monitor network traffic for anomalies such as HTTP host domain spoofing and unusual outbound connections to known C2 infrastructure associated with these malware families. 3) Implement strict application whitelisting to prevent execution of unauthorized EXE files and DLLs. 4) Conduct regular user awareness training focused on recognizing social engineering tactics, including fake browser update prompts. 5) Utilize threat intelligence feeds to update detection signatures with the provided malware hashes and indicators of compromise. 6) Enforce least privilege principles and multi-factor authentication to limit the impact of credential theft. 7) Scan and analyze image files and compressed archives for hidden payloads or embedded passwords using specialized forensic tools. 8) Maintain up-to-date patching of operating systems and applications to reduce exploitation vectors. 9) Employ behavioral analytics to detect suspicious process and file activities indicative of infostealer operations. 10) Establish incident response plans that include rapid containment and forensic analysis upon detection of these malware families.