New ACRStealer Variant Uses Syscall Evasion, TLS C2 and Secondary Payload Delivery

A new version of ACRStealer has come out that is much harder to find and much more dangerous to the systems it targets This article explores acrstealer type malware. . Proofpoint first reported this new version of the Amatera Stealer in early 2025.

It has low-level syscall evasion, encrypted C2 communication over TLS, and the ability to deliver secondary payloads. These are all clear signs that the malware is still being developed and is a threat that is still being maintained. ACRStealer is a type of malware-as-a-service (MaaS), which means that it is rented out to different hackers who use it in their own attacks. In this most recent operation, it arrives as a final payload sent by HijackLoader, a complex loader linked to the PiviGames distribution platform.

The attack starts when people who use gaming sites like Steam, Discord, or Reddit are tricked into clicking on a bad link (hxxps://pivigames . Making an AFD Endpoint with the Object_Attribute Struct (Source: G Data) After the handshake, data is sent in either plain text or AES-256 encrypted form, depending on a flag set at runtime. The malware has basic resilience because it waits two seconds and tries again if it can't reach the C2 server.

Creating AFDOpenPacketXX with a TCP Ipv4 socket (Source: G Data) Security teams should keep an eye out for unusual low-level API usage, such as NtCreateFile and AFD-based network connections, and block the known C2 indicators 157 . .180 . .40 .