| The NJCCIC has observed an increase in the distribution of infostealing malware. This type of malware is popular among threat actors because of the kind and amount of information it can exfiltrate. Infostealers often have capabilities that allow threat actors to retrieve credentials, financial information, personally identifiable information (PII), messages, emails, and browser data. Some infostealers, like Amatera, have the capacity to run secondary payloads. |
| Several popular infostealers are sold as malware-as-a-service (MaaS). This type of malware lowers the barrier to entry into cybercrime for individuals with limited or no coding skills, as they can purchase it via subscription, and it often features user-friendly interfaces. Amatera Stealer, a rebrand of ACR Stealer, has been among the many forms of malware distributed through Click Fix/Clear Fake attacks. Despite law enforcement taking down the core infrastructure of Lumma Stealer in early 2025, threat actors have utilized GitHub comments to trick users into downloading the infostealer, often claiming to be a fix for an undisclosed issue. |
| Phishing continues to be a common method for tricking users into downloading infostealers. Both XLoader and DarkCloud conduct phishing campaigns that involve a compressed .rar file that, when extracted, downloads and installs malicious software. Some campaigns start with a downloader, such as GuLoader, which, once installed, initiates the download of more malware that it typically stores on Google Drive. A current campaign ends with the download of SnakeKeylogger. |
| Recommendations |
| Avoid clicking links and opening attachments in unsolicited emails. Confirm requests from senders via contact information obtained from verified and official sources. Users should only submit account credentials on official websites. Users are advised to only download applications and software from official sources. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. If you suspect an account has been compromised, change the account’s password immediately and ensure MFA is enabled for all online accounts. Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks. Report other malicious cyber activity to the NJCCIC and the FBI’s IC3. |