This report from October 2025 provides a detailed analysis of Infostealer malware trends, focusing on the distribution volume, methods, and disguise techniques observed by AhnLab's automated detection systems. The most prevalent Infostealers identified are Rhadamanthys, ACRStealer, and LummaC2, which continue to be widely distributed. Attackers have evolved their distribution methods by exploiting legitimate websites to bypass search engine restrictions, a tactic known as SEO poisoning, which increases the likelihood of victims encountering malicious content. A significant trend is the emergence of a new Loader malware that uses DLL sideloading, a technique where a malicious DLL is loaded by a legitimate executable, allowing stealthy execution and evasion of traditional detection mechanisms. The report also notes changes in the distribution patterns of LummaC2, indicating adaptive tactics by threat actors. Phishing remains a key vector, with attackers using sophisticated disguise techniques to trick users into executing malware. The malware families involved employ various MITRE ATT&CK techniques such as T1071 (Application Layer Protocol), T1055 (Process Injection), T1102 (Web Service), T1059.001 (PowerShell), T1547.001 (Registry Run Keys/Startup Folder), T1027 (Obfuscated Files or Information), and T1204.001 (User Execution). The campaign does not rely on known exploits but rather on social engineering and advanced evasion, making detection challenging. Indicators of compromise include multiple file hashes and domains associated with the campaign. The threat landscape suggests a medium severity level due to the potential for data theft and operational disruption, combined with the ease of distribution and evasion techniques.

For European organizations, this threat poses significant risks primarily to confidentiality, as Infostealers aim to exfiltrate sensitive data such as credentials, financial information, and intellectual property. The use of legitimate websites for distribution increases the risk of exposure, especially for organizations with employees who frequently access external web resources. The DLL sideloading Loader malware complicates detection and response, potentially allowing persistent footholds within networks. Phishing campaigns targeting companies can lead to initial compromise, lateral movement, and data breaches. The impact extends to operational integrity if stolen credentials are used for further attacks like ransomware or espionage. Industries with high-value data, such as finance, manufacturing, and logistics, are particularly vulnerable. The evolving tactics indicate that traditional signature-based defenses may be insufficient, requiring enhanced behavioral monitoring and threat intelligence integration. The medium severity reflects a balance between the sophistication of the attack methods and the absence of zero-day exploits, but the widespread distribution and potential for data loss remain concerning.

European organizations should implement multi-layered defenses focusing on detection and prevention of DLL sideloading by monitoring for anomalous DLL loads by legitimate executables and employing application whitelisting where feasible. Enhance web filtering and DNS monitoring to detect and block access to domains involved in SEO poisoning campaigns and known malicious infrastructure. Deploy advanced email security solutions with phishing detection capabilities, including user training to recognize sophisticated disguise techniques and social engineering attempts. Utilize endpoint detection and response (EDR) tools to identify process injection and obfuscation behaviors associated with these Infostealers. Regularly update threat intelligence feeds with the provided indicators such as file hashes and domains to enable timely detection. Conduct periodic security assessments and phishing simulations to improve organizational resilience. Restrict use of PowerShell and other scripting environments to trusted administrators and monitor their usage closely. Finally, implement robust credential management and multi-factor authentication to limit the impact of stolen credentials.