What happened
Researchers identified a new variant of ACRStealer, an information-stealing malware family, that introduces syscall-based evasion techniques to bypass endpoint detection and response (EDR) monitoring. The updated malware communicates with its command-and-control servers over TLS-encrypted channels and includes the ability to deliver secondary payloads, expanding the attacker’s control over infected systems. ACRStealer, first reported in 2025 as a rebranded version of Amatera Stealer, is distributed through Malware-as-a-Service (MaaS) operations and has been observed spreading through loaders such as HijackLoader. The new syscall-evasion approach allows the malware to bypass common user-mode API monitoring techniques used by security tools, making it harder to detect during execution.Â
Who is affected
Organizations and individuals running Microsoft Windows systems are affected if the malware is executed, as ACRStealer is designed to harvest sensitive data including credentials, browser information, and other stored system data.Â
Why CISOs should care
The new variant demonstrates how infostealer malware continues to evolve with advanced evasion techniques, allowing attackers to bypass endpoint monitoring and deploy additional payloads once systems are compromised.Â
3 practical actions
Monitor systems for syscall-based evasion behavior. Detect abnormal process activity designed to bypass API monitoring.Â
Inspect suspicious loader activity. Investigate infections delivered through loaders such as HijackLoader that may deploy secondary payloads.Â
Rotate exposed credentials. Assume credential theft may occur if ACRStealer infections are detected.Â
For more reporting on threats involving credential-stealing malware, explore our latest coverage under the Malware tag.
