Once available at the beginning of the year, ACRStealer has now undergone a comprehensive upgrade with the ability to hide, bypass surveillance, communicate untraceably, and steal sensitive data. This is a serious threat, especially to individual users and small businesses, who often have little in-depth defenses.
ACRStealer is sophisticated information – stealing software that uses DDR, Google Docs and Steam techniques for remote (C2) control. It possesses detection evasion, HTTP traffic control using low-level techniques such as NtCreateFile, along with domain name and IP tampering operations to jam network surveillance systems. The new versions use AES-256 encryption, actuators and stochastics to increase concealment. The mechanism of spreading includes stealing cryptocurrency wallet data, login information, sensitive documents, and the ability to extend the attack through sub-payloads. More recently, the ACRStealer variant has been renamed AmateraTealer, which retains the characteristics of being one of the most powerful and fast – adapting information – stealing software lines.
1. Subtle Hiding with Heaven’s Gate
The new version uses a technique called Heaven’s Gate, which allows malicious code to run 64-bit shellcode in a 32-bit process on Windows. This makes regular surveillance software very difficult to detect, as the malicious activity is completely hidden
2. Do not use normal libraries, use the core of the operating system
Unlike many malicious codes that use WinHTTP or Winsock to connect to the control server (C2), ACRStealer communicates directly over the system driver (AFD) using low – level commands such as NtCreateFile and NtDeviceIoControlFile. This can help bypass firewalls, network surveillance systems, or anti-malware software based on surveillance APIs.
3. Camouflage the real address with “trusted domain name”
To distract the examiner, the reader code pretends to contact reputable websites such as microsoft.com, google.com and facebook.com but actually connects to other malicious IP addresses. The surveillance system sees all these “clean addresses,” so it’s easy to miss them.
What did ACRStealer steal?
-
Your browser login (Chrome, Edge, Firefox, etc.)
-
Cryptocurrency Wallets
-
Cloud account (Google Drive, Dropbox)
-
Email, FTP, internal documents
-
Install additional malware for long-term control
The new version also encrypted all data sent to C2 using the AES-256 standard, with the encryption key and initialization string (IV) embedded in the malicious code file. Each victim is given a unique endpoint, making it even harder to detect using traditional methods.
With its wide-ranging capabilities of evasion, customization, and information theft, AmateraStealer is currently one of the most dangerous and difficult-to-spot infostealers in the world. It is being distributed mainly through:
-
Fake email attachment file
-
Proprietary software, crack games
-
Link fake malicious ad
- Do not download crack/keygen from unknown sources, this is the most common channel for spreading malware
- Do not download files from direct links to the Steam CDN (e.g., cdn.cloudflare.steamstatic.com, steamusercontent-a.akamaihd.net) if the source is unknown.
-
Don’t open files from strange emails, whether they look like they’re from a government agency, a bank, or a friend
- Install authentic software and update it regularly to fix security breaches.
-
Use anti-virus software with behavioral monitoring
- Monitor for unusual access behavior to platforms such as Google Docs, Steam, telegra.ph, especially from non-essential machines.
-
Unusual network traffic tracking, especially with interconnected applications
-
firewall/proxy configuration blocks or restricts access to the Steam CDN with endpoints that do not serve gaming purposes.
