Cybersecurity researchers warn of a new malware campaign using cracked software to distribute Lumma and ACR Stealer, with ACR Stealer’s activity surging since January 2025. The malware employs dead drop resolvers, using legitimate services like Steam and Google Forms to extract C2 addresses. Another campaign exploits MSC files, leveraging CVE-2024-43572 (GrimResource) to deliver Rhadamanthys malware. Additionally, attackers are exploiting chat platforms like Zendesk to spread Zhong Stealer. Hudson Rock reports over 30 million infected computers, with stolen credentials being sold for as little as $10 per log, posing severe corporate risks. Threat actors also use ClickFix, directing victims to fake CAPTCHA pages that execute malicious PowerShell commands, including I2PRAT, which utilizes the I2P network for anonymity, making tracking more difficult.

‍