June 2026 Infostealer Trend Report
During June 2026, multiple infostealer families including Remus, ACRStealer, LummaC2, and Vidar were distributed through SEO poisoning techniques, disguised as illegal software such as cracks and keygens. Attacks utilized EXE files (84.5%) and DLL side-loading (15.5%) methods, with distribution primarily through Mediafire, Mega, and cloud storage platforms. Microsoft Corporation was the most frequently impersonated entity. MacOS environments were targeted through ClickFix techniques and malicious Bash scripts, with one variant dynamically obtaining C2 addresses via Polygon smart contracts. Email-based campaigns distributed AgentTesla and DarkCloud through compressed attachments, with both variants exfiltrating data via SMTP. The stolen credentials pose significant risks for dark web trading and secondary attacks.
Indicators of Compromise
- hash: d15248555e7a2d9c279d219e6587a74fca9c25720194512a2e4b0757f7a63219
- domain: apdhlhs3.xyz
- domain: bduwih8.pro
- domain: johncon.my
- hash: 02c7d78e6c5816f1df250f995a776aa2
- hash: 03663f2f81da94cd204837e4bde772ff
- hash: 03e99ceede013fe1b50a0e06c1f0a02c
- hash: 042db31ea5443d78aeee714556813a28
- hash: 04d91c168c7617c38199983858cfbb4e
- hash: c8c80cde1ae90d6a594980e117977437de97ebb1
- hash: dbe028a59ffe936bce9acb56e9c2db93ef6f84fe
- hash: ac14d191300c2d3aa9f57829b895b7720be1ef3563bace25de731002d52577f7
June 2026 Infostealer Trend Report
Description
During June 2026, multiple infostealer families including Remus, ACRStealer, LummaC2, and Vidar were distributed through SEO poisoning techniques, disguised as illegal software such as cracks and keygens. Attacks utilized EXE files (84.5%) and DLL side-loading (15.5%) methods, with distribution primarily through Mediafire, Mega, and cloud storage platforms. Microsoft Corporation was the most frequently impersonated entity. MacOS environments were targeted through ClickFix techniques and malicious Bash scripts, with one variant dynamically obtaining C2 addresses via Polygon smart contracts. Email-based campaigns distributed AgentTesla and DarkCloud through compressed attachments, with both variants exfiltrating data via SMTP. The stolen credentials pose significant risks for dark web trading and secondary attacks.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://asec.ahnlab.com/en/94486/"]
- Adversary
- null
- Pulse Id
- 6a5775d6071af081378a0eb9
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashd15248555e7a2d9c279d219e6587a74fca9c25720194512a2e4b0757f7a63219 | — | |
hash02c7d78e6c5816f1df250f995a776aa2 | — | |
hash03663f2f81da94cd204837e4bde772ff | — | |
hash03e99ceede013fe1b50a0e06c1f0a02c | — | |
hash042db31ea5443d78aeee714556813a28 | — | |
hash04d91c168c7617c38199983858cfbb4e | — | |
hashc8c80cde1ae90d6a594980e117977437de97ebb1 | — | |
hashdbe028a59ffe936bce9acb56e9c2db93ef6f84fe | — | |
hashac14d191300c2d3aa9f57829b895b7720be1ef3563bace25de731002d52577f7 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainapdhlhs3.xyz | — | |
domainbduwih8.pro | — | |
domainjohncon.my | — |
Threat ID: 6a58000568715ace438b184a
Added to database: 07/15/2026, 21:47:49 UTC
Last updated: 07/15/2026, 21:47:49 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.