Cybercriminals are luring victims with the promise of free software but the price is your data. ASEC has observed a surge in ACRStealer infections, often disguised as cracks and keygens. The malware uses a Dead Drop Resolver technique, hiding its C2 infrastructure within Google Docs. It targets browser data, cryptocurrency wallets, and VPN credentials, feeding stolen information back to its operators.

Firefox and Thunderbird users, update now. CERT-In has flagged multiple high-severity vulnerabilities in Mozilla products, which could allow attackers to spoof identities, steal sensitive data, or cause DoS attacks. Users are urged to upgrade immediately to patch these flaws before threat actors exploit them.

Snake Keylogger isn’t going away - it’s evolving. Researchers uncovered a new, more advanced version that has already triggered 280 million blocked infection attempts globally. This info-stealer thrives on phishing emails, using AutoIt scripting to evade antivirus detection and harvesting credentials from popular browsers.

Top Malware Reported in the Last 24 Hours

ACRStealer info-stealer exploits Google Docs

ASEC has observed an increase in the distribution of the ACRStealer Info-stealer, which is often disguised as illegal software such as cracks and keygens. This malware uses a technique called Dead Drop Resolver (DDR) to obtain the actual C2 domain address, with Google Docs being a common intermediary C2 platform. The malware targets various data including browser data, cryptocurrency wallet files, and VPN information, which are then transmitted to the C2.

Rhadamanthys delivered via MSC extension

ASEC confirmed that the Rhadamanthys info-stealer is distributed as a file with the MSC extension, which is XML-based and runs through the Microsoft Management Console (MMC). There are two types of MSC malware: one that exploits a vulnerability in apds.dll (CVE-2024-43572) and another that uses the Console Taskpad to run commands. Since June 2024, MSC malware distribution has increased, with the apds.dll exploiting type being the most common. The recent MSC file discovered uses Console Taskpad, allowing it to execute commands within MMC. 

New Snake Keylogger variant identified

A new, advanced version of the Snake Keylogger malware has been discovered, which has led to over 280 million blocked infection attempts globally. The malware is primarily spread through phishing emails with malicious links or attachments, collects data by capturing keystrokes and extracting credentials from popular browsers, and transmits this data to C2 servers via encrypted channels. It also uses AutoIt scripting to bypass antivirus. The threat is global, with the highest concentrations of infection reported in China, Turkey, Indonesia, Taiwan, and Spain. 

Top Vulnerabilities Reported in the Last 24 Hours

CISA releases two ICS advisories

The CISA heightened its cybersecurity warnings, issuing two key ICS advisories about vulnerabilities in Delta Electronics’ CNCSoft-G2 and Rockwell Automation’s GuardLogix controllers. The advisories, ICSA-24-191-01 and ICSA-25-035-02, highlight serious flaws that could allow remote code execution and DoS attacks. The CNCSoft-G2 software has six critical vulnerabilities that could lead to code execution and system control issues. The GuardLogix controllers are at risk of DoS attacks due to improper exception handling.

High-severity bugs in Firefox and Thunderbird

CERT-In released a vulnerability note (CIVN-2025-0016) concerning several high-severity vulnerabilities in Mozilla products, including Firefox and Thunderbird. These issues may enable remote attackers to spoof, disclose sensitive information, execute arbitrary code, or trigger DoS attacks. Affected versions include Mozilla Firefox versions prior to 135, Mozilla Firefox ESR versions prior to 115.20 and 128.7, Mozilla Thunderbird versions before 135, and Mozilla Thunderbird ESR versions prior to 128.7.