The May 2025 Infostealer Trend Report details the evolving distribution and characteristics of Infostealer malware campaigns observed during May 2025. The report identifies several prominent Infostealer families including LummaC2, Vidar, StealC, Rhadamanthys, and Amadey. These malware strains are primarily designed to exfiltrate sensitive information such as credentials, financial data, and system details from infected hosts. A key distribution vector highlighted is SEO poisoning, where threat actors manipulate search engine results to promote malicious downloads disguised as software cracks and keygens. This tactic exploits users seeking pirated software, increasing the likelihood of infection. Distribution channels also include legitimate websites, forums, and Q&A pages, lending credibility to the malicious payloads and facilitating user trust. The malware is predominantly delivered in executable (EXE) format, accounting for 95.4% of observed samples, with a smaller portion (4.6%) utilizing DLL side-loading techniques to evade detection and maintain persistence. Notably, there is an emergence of BAT script-based malware, which can execute commands and scripts on Windows systems, potentially broadening the attack surface. The Wormhole file-sharing service is identified as a novel distribution platform, enabling threat actors to share malicious payloads securely and bypass some traditional detection mechanisms. Additionally, the use of Unicode characters in compression passwords is a sophisticated evasion technique designed to circumvent security controls that scan compressed archives for malware signatures. The report underscores the adaptability of Infostealer campaigns in leveraging social engineering, technical evasion, and diverse distribution methods to maximize infection rates. The inclusion of multiple MITRE ATT&CK techniques such as T1140 (Deobfuscate/Decode Files or Information), T1036 (Masquerading), T1059.001 (PowerShell), T1566 (Phishing), T1027 (Obfuscated Files or Information), T1059.003 (Windows Command Shell), T1574.002 (DLL Side-Loading), and T1204.001 (User Execution) illustrates the multi-faceted approach attackers use to infiltrate and maintain control over victim systems.

For European organizations, the impact of these Infostealer campaigns can be significant. The theft of credentials and sensitive data can lead to unauthorized access to corporate networks, financial fraud, intellectual property theft, and reputational damage. Organizations with employees who may seek unauthorized software or cracks are particularly at risk due to the reliance on SEO poisoning and disguised payloads. The use of DLL side-loading and BAT scripts complicates detection and remediation efforts, potentially allowing malware to persist undetected for extended periods. The exploitation of legitimate websites and forums as distribution points increases the risk of widespread infections across diverse sectors. Additionally, the use of Unicode passwords in compressed malware archives may bypass traditional security scanning tools, increasing the likelihood of successful infections. The overall medium severity rating reflects a balance between the sophistication of the attacks and the requirement for user interaction (downloading and executing malicious files), but the broad distribution methods and variety of malware families involved suggest a persistent threat that could disrupt business operations and compromise sensitive data across Europe.

1. Implement advanced web filtering and DNS security solutions to detect and block access to known malicious domains and SEO-poisoned URLs, especially those offering cracks, keygens, or pirated software. 2. Educate employees about the risks of downloading and executing unauthorized software, emphasizing the dangers of SEO poisoning and social engineering tactics. 3. Deploy endpoint detection and response (EDR) tools capable of identifying obfuscated scripts, DLL side-loading attempts, and suspicious BAT script executions. 4. Enhance email security with sandboxing and attachment scanning to detect phishing attempts and malicious payloads. 5. Regularly update and patch all software and operating systems to reduce the attack surface and prevent exploitation of known vulnerabilities. 6. Use multi-factor authentication (MFA) to limit the impact of credential theft. 7. Monitor network traffic for unusual outbound connections that may indicate data exfiltration. 8. Incorporate scanning tools that can handle compressed archives with Unicode passwords or implement manual inspection protocols for suspicious compressed files. 9. Restrict execution of scripts and unsigned executables via application whitelisting and group policy controls. 10. Collaborate with threat intelligence providers to stay updated on emerging Infostealer hashes and indicators of compromise (IOCs) for proactive defense.