Google Docs used by infostealer ACRStealer as part of attack

[jasonX]

Google Docs used by infostealer ACRStealer as part of attack

 



Malwarebytes Blog reports an 'ACRStealer' exploiting 'Google Docs' to steal credentials, crypto wallets, extract browser data, FTP credentials and all text files. Previously the malware (ACRStealer) was using platforms like 'Steam' and 'telegra.ph'. Now it has shifted to exploit various forms of 'Google Docs' -- Forms ands Presentations. This new approach will allow attackers to change the compromised C2 domain thereby modifying the information within the intermediary C2. Here is Malwarebytes' Pieter Arntz take on the threat.

An infostealer known as ACRStealer is using legitimate platforms like 'Google Docs' as part of an attack, according to researchers.

ACRStealer is a new information-stealing malware often distributed via the tried and tested method of download as cracks and keygens, which are used in software piracy. The infostealer has been around since mid-2024 (as a beta test), but it’s only really taken off in 2025. ACRStealer is capable of:
 

• Identifying which antivirus solution is on a device
  
• Stealing crypto wallets and login credentials
  
• Stealing browser information
  
• Harvesting File Transfer Protocol (FTP) credentials
  
• Reading all text files
  

With that kind of information, cybercriminals can go after your cryptocurrency and other funds. With the capture of usernames and passwords from web browsers, attackers can access your accounts, including email, social media, and financial services. They may even gather enough personal data to be used for identity theft or sold on the dark web.

What stands out in the recently-found ACRStealer variants is the way they communicate with the command and control (C2) server—a computer which is used to send commands to systems compromised by malware and receive stolen data from a target network. Rather than hard-coding the IP address in the malware, they chose to use a method called Dead Drop Resolver (DDR), where the malware contacts a legitimate platform like Google Docs or Steam to read what the C2 domain is.

This is good for the cybercriminals as it means they can easily change the domain if one gets discontinued, seized, or blocked. All they need to do is update the Google Doc.

And outgoing calls to docs.google.com will not easily trigger an alarm, so it helps in staying under the radar.


Stay safe from the ACRStealer

Like many other information stealers, ARCStealer is operated under the Malware-as-a-Service (MaaS) model, where criminals rent out the malware and the infrastructure to other criminals. That makes it hard to know exactly how to defend yourself.

However, there are some things you can do:
 

• Stay away from websites offering cracks and keygens
  
• Download software from the official publisher wherever possible
  
• Don’t click on links in unsolicited communications (email, texts, DMs, etc)
  
• Don’t open unverified attachments
  
• Use multi-factor authentication (MFA) wherever you can, so even if cybercriminals steal your login details they won’t be able to get into your account
  
• Use an active and up-to-date anti-malware solution.
  

Malwarebytes recognizes new variants of ACRStealer by behavior, which will result in the detection name of Malware.AI.{ID-number}.

 

More Info HERE


Additional Info HERE



Info derived and lifted from Malwarebytes with permission