ACRStealer Returns: Trojanized RAM Booster Installer Delivers 4-Stage Loader with Heaven's Gate, AES-256 Shellcode Injection, and 17 C2 Servers on a Single Bulletproof Host

TL;DR: A fresh ACRStealer sample surfaced on MalwareBazaar on March 9, 2026 -- a trojanized Chris-PC RAM Booster installer that kicks off a 4-stage kill chain ending in process injection via ntdll native API calls. Unlike the Config.ps1 dropper we analyzed last week, this campaign uses a new 16-byte XOR key, a previously undocumented .NET loader called CoreHubManager that decrypts AES-256-CBC shellcode in memory, and Heaven's Gate WoW64 transitions to execute x64 code from a 32-bit process. We extracted all encryption keys, mapped 17 C2 IP addresses -- every single one hosted by VDSINA (SERVERS TECH FZCO, UAE/Amsterdam) -- and confirmed that ACRStealer has been rebranded as AmateraStealer, now selling at $199/month.

---

What Changed Since Our Last Report

Our previous ACRStealer investigation dissected the Config.ps1 dropper, the Go-based "continental" loader, the stolen ASUSTeK EV certificate, and the verification.google DLL that steals Windows Hello NGC keys. This follow-up tracks a parallel delivery chain that surfaced 24 hours later with substantially different tooling.

Aspect	Previous Report (Mar 8)	This Report (Mar 9)
Primary sample	Config.ps1 PowerShell dropper	Trojanized Chris-PC RAM Booster (Inno Setup EXE)
XOR key	MnZdJGRiwLze (12-byte)	b8dd28a22237f586888c363c22c4da3c (16-byte)
Loader	Go 1.26.0 "continental" binary	.NET Framework CoreHubManager.exe
Shellcode encryption	Not extracted	AES-256-CBC, key + IV recovered
Injection method	Not documented	ntdll.dll: NtAllocateVirtualMemory, NtCreateThreadEx
Evasion	Defender exclusions, self-deletion	Heaven's Gate (WoW64), custom AFD socket ops
Infrastructure pattern	Multi-provider, 50% churn	Single provider (VDSINA), uniform nginx 1.24.0 stack
Hosting provider	Spread across many ASNs	100% VDSINA -- single point of disruption

The shift from a Go binary to a .NET loader, and from multi-provider hosting to a single bulletproof host, suggests either a different affiliate operating within the AmateraStealer MaaS ecosystem or a deliberate operational pivot by the same actor.

Attack Chain: From Fake RAM Booster to Full Credential Theft

[1] DELIVERY
    |-- Trojanized Chris-PC RAM Booster (Inno Setup installer, 6.7 MB)
    |-- Also: ClickFix/FakeCaptcha -> PowerShell (vocals.ps1)
    |-- Also: Cracked software ZIPs via Mega.nz / Yandex Disk
         |
[2] EXECUTION
    |-- Installer drops legitimate app + malicious DLL
    |-- DLL sideloading: wke.dll / python3XX.dll / CrashRpt1403.dll
    |-- OR: PowerShell forces SysWOW64 (32-bit), XOR-decrypts .NET payload
         |
[3] .NET LOADER (CoreHubManager.exe)
    |-- AES-256-CBC decryption of 357,456-byte shellcode blob
    |-- Spawns hidden WinForms app (no taskbar, 0% opacity)
    |-- Process injection via ntdll.dll native API calls
         |
[4] SHELLCODE + STEALER
    |-- Heaven's Gate: transitions to x64 from WoW64 context
    |-- Custom AFD socket operations (bypasses WinHTTP/Winsock hooks)
    |-- Dead Drop Resolver: Steam / Google Docs / Telegram
    |-- Downloads RC4-encrypted config, steals everything, exfils via HTTPS

Stage 1: The Trojanized Installer

The primary sample is a 6.7 MB Inno Setup executable masquerading as Chris-PC RAM Booster, a legitimate memory optimization tool.

Property	Value
SHA-256	e49fbf6640e8c5e9d47731ac1ddc2b7e6711df3b22e851220ec2f6a5ce8d6ecb
MD5	2d9e893f651b7739057434da6fab1580
SHA-1	71af91a314728e618dc55bc10e8964a0d0e2ef9b
Size	6,787,688 bytes
Imphash	74eb199b68cce68d5e65b492bae421d9
Type	PE32, Inno Setup installer
First Seen	2026-03-09
CAPE Sandbox	Analysis #56842

The installer bundles a legitimate copy of Chris-PC RAM Booster alongside a malicious DLL. When the user runs the installer expecting a RAM optimization tool, DLL search order hijacking ensures the malicious payload executes before the real application loads. The user sees the legitimate software install and run normally -- the compromise is invisible.

Stage 2: The PowerShell Vector (vocals.ps1)

A parallel delivery chain uses a PowerShell dropper distinct from the Config.ps1 we analyzed previously.

Property	Value
SHA-256	053c866e69cc9f52407c8c8b449365d98765e66751c60b96f93452b2c87f4378
MD5	7786acef10a6deb70cca0fa0d5cbb3f7
Size	3,868,075 bytes (3.7 MB)
First Seen	2026-03-08

The dropper forces execution into 32-bit mode via SysWOW64 -- a prerequisite for the Heaven's Gate technique used in Stage 4. It then XOR-decrypts an embedded .NET assembly using a new 16-byte key:

XOR Key (hex):  b8dd28a22237f586888c363c22c4da3c
XOR Key (B64):  uN0ooiI39YaIjDY8IsTaPA==

This is a different key from the Config.ps1 dropper (MnZdJGRiwLze). The output of XOR decryption is a valid .NET PE assembly -- the CoreHubManager loader.

Stage 3: CoreHubManager -- The .NET Injection Loader

The decrypted .NET assembly is a previously undocumented loader we are designating CoreHubManager based on its assembly metadata.

Property	Value
SHA-256	e56b327e9a139e1327c266d010d6df2d77fd822d8c6fb7fdec25aab38ed864e8
MD5	f63abb292495aa5c50878fe69aa7ae91
Imphash	f34d5f2d4577ed6d9ceec516c1f5a744
Size	1,446,400 bytes
Runtime	.NET Framework v4.0.30319
Entry Point	Program.Main() (Token 0x6000008)

Internal Structure

Assembly: CoreHubManager.exe
Runtime:  .NET Framework v4.0.30319
Entry:    Program.Main() [Token 0x6000008]

Classes:
  - Program: Main entry, creates hidden WinForm
  - Stub: Contains EncryptedShellcode field, DecryptShellcode method

Fields:
  - EncryptedShellcode: 357,456 bytes (AES-256-CBC encrypted)
  - JunkData0-17:  65,536 bytes each (1.1 MB total padding)
  - JunkData18:    30,743 bytes

P/Invoke (ntdll.dll):
  - NtAllocateVirtualMemory
  - NtCreateThreadEx
  - NtWaitForSingleObject
  - NtClose

The loader's Stub class holds two critical elements: a 357,456-byte encrypted shellcode blob stored as a static FieldRVA array, and a DecryptShellcode method that performs AES-256-CBC decryption. We extracted the key material:

AES-256 Key: f45bfb93c374b5058228e2866df29df73361db650a0c8602212d8df2a49331ad
AES-256 IV:  b99b7a6f02634caf51782a19a203ba90

After decryption, the loader:

1. Creates a hidden WinForms application (no taskbar entry, 0% opacity) to maintain a message loop
2. Calls NtAllocateVirtualMemory to allocate RWX memory in the current process
3. Copies the decrypted shellcode into the allocated region
4. Calls NtCreateThreadEx to spawn a thread executing the shellcode
5. Calls NtWaitForSingleObject to wait for completion

The 18 JunkData fields (totaling over 1.1 MB) serve as anti-analysis padding, inflating the assembly size and making static analysis tools choke on the large data sections.

Stage 4: Shellcode -- Heaven's Gate and Custom Sockets

The decrypted shellcode employs two notable evasion techniques that distinguish this campaign from typical infostealers.

Heaven's Gate (WoW64 x64 Execution)

The shellcode uses the Heaven's Gate technique to transition from 32-bit (WoW64) execution context to native 64-bit code. By manipulating the code segment selector, the shellcode bypasses the WoW64 translation layer entirely. This defeats:

• 32-bit debuggers and analysis tools that cannot follow the x64 transition
• WoW64-layer API hooks installed by security products
• Sandboxes that only instrument the 32-bit execution path

This is why the PowerShell dropper forces SysWOW64 execution -- the shellcode requires a WoW64 context to perform the gate transition.

Custom AFD Socket Operations

Rather than using the standard WinHTTP or Winsock APIs for network communication, the shellcode performs socket operations directly through the Windows Ancillary Function Driver (AFD). This bypasses:

• WinHTTP/Winsock API hooks installed by EDR products
• Network monitoring tools that intercept socket calls at the API layer
• SSL inspection proxies that rely on hooking high-level HTTP libraries

The combination of Heaven's Gate and AFD socket operations represents a significant step up in evasion sophistication compared to the Go-based "continental" loader from our previous report.

Dead Drop Resolver: Hiding C2 in Plain Sight

ACRStealer's Dead Drop Resolver (DDR) technique is the operational glue that makes its infrastructure resilient. The mechanism works as follows:

1. The attacker creates profiles on Steam Community, Google Docs, Google Slides, or Telegram (Telegraph)
2. The actual C2 domain or IP is Base64-encoded and embedded in the profile content
3. The malware fetches the page, searches for the marker string 3e3 aHR0cHM, and decodes the Base64 to obtain the real C2 address
4. To rotate C2, the operator simply edits the Steam profile -- no malware update needed

The marker 3e3 aHR0cHM is partially decodable: 3e3 decodes to > (an HTML entity artifact) and aHR0cHM is the Base64 prefix for https://. This marker is searchable on Steam Community -- defenders can proactively hunt for active DDR profiles.

DDR Hunting

Search Steam Community profiles for the string 3e3 aHR0cHM to identify active dead-drop pages. Any profile containing this marker is almost certainly serving as an ACRStealer C2 resolver.

Infrastructure: 17 C2 Servers, One Hosting Provider

Every C2 server we identified in this campaign is hosted by a single provider -- VDSINA (brand name of SERVERS TECH FZCO, registered in UAE, servers physically located in Amsterdam). This is a significant OPSEC failure and a potential single point of disruption.

Hosting Provider Profile

Property	Value
Brand	VDSINA
Legal Entity	SERVERS TECH FZCO
Registration	UAE (Dubai, IFZA Business Park)
Server Location	Amsterdam, Netherlands
ASN	AS216071
Abuse Contact	abuse@vdsina[.]com
Hostname Pattern	v######.hosted-by-vdsina.com

Live C2 Servers (as of 2026-03-09)

IP	Hostname	Ports	Services	Notes
144.124.246.132	v660070.hosted-by-vdsina.com	22, 443	nginx 1.24, self-signed TLS	Active
144.124.233.47	v636693.hosted-by-vdsina.com	22, 443	nginx 1.24, self-signed TLS	Active
212.118.41.180	v642575.hosted-by-vdsina.com	22, 443	nginx 1.24, self-signed TLS	Active
146.103.104.188	v674414.hosted-by-vdsina.com	443	nginx 1.24, self-signed TLS	Active
45.150.34.0	N/A	8888	Python 3.10	Active (alt stack)

Offline/Dark C2 Servers

IP	Hostname	Status
46.149.72.226	v683103.hosted-by-vdsina.com	SSH only
46.149.76.78	v683123.hosted-by-vdsina.com	SSH only
46.149.72.66	N/A	Dark
146.103.103.78	N/A	Dark
146.103.109.239	N/A	Dark
144.124.236.99	N/A	Dark
193.33.195.37	v662570.hosted-by-vdsina.com	SSH only
94.26.106.216	N/A	SSH only
77.91.96.209	N/A	Dark
77.238.228.60	N/A	Dark
91.84.123.250	N/A	Dark
212.34.155.34	N/A	Dark

Infrastructure Fingerprint

All active TLS-enabled servers share an identical configuration:

• OS: Ubuntu Linux
• Web server: nginx 1.24.0
• TLS: Self-signed certificate with CN=<IP address>
• SSH: OpenSSH 9.6p1 (where port 22 is open)

This uniformity -- same OS, same nginx version, same TLS configuration, same hosting provider -- is a strong clustering signal. It suggests the operator uses a standardized provisioning script or template to deploy C2 infrastructure, and purchases servers through a single VDSINA reseller account.

DLL Sideloading: Six Vectors Across the Campaign

The March 9 campaign uses six different DLL names for sideloading, rotating the hijacked library to evade static signatures:

DLL Name	Host Binary	Prevalence
wke.dll	Miniblink WebKit engine	High
python311.dll	Python 3.11 interpreter	Medium
python312.dll	Python 3.12 interpreter	Medium
python315.dll	Python 3.15 interpreter	Low
CrashRpt1403.dll	CrashRpt crash reporter	Low
verification.google	Unknown host	Low

The latest wke.dll variant is notably large:

Property	Value
SHA-256	c4627fbcce87136d2ec6fdb876b8c4496d7f25411d2c24860ba1ec0f8f39e916
MD5	a5c21df47e82d2fbe8b2976e1a597ca6
Imphash	0bf4447fda89303e8c2644bb6df92eb9
Size	13,374,224 bytes (12.7 MB)

A 13 MB DLL is unusual and likely contains inflated junk sections to evade sandbox file-size limits and slow analysis tools.

AmateraStealer: The Rebrand and MaaS Pricing

ACRStealer has been rebranded as AmateraStealer and is actively sold as a Malware-as-a-Service product:

Plan	Price
Monthly	$199
Annual	$1,499

Customers receive access to a web-based panel for managing victims, configuring theft targets, and downloading exfiltrated data. The MaaS model means multiple affiliates operate independently, which explains the diversity in delivery methods (Inno Setup installers, PowerShell droppers, ClickFix, cracked software bundles) while sharing the same core stealer and C2 infrastructure.

Data Theft Scope

Once fully deployed, ACRStealer/AmateraStealer harvests credentials and tokens from over 200 applications:

• Browsers: Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and 200+ extensions
• Cryptocurrency wallets: MetaMask, Phantom, Exodus, Electrum, Trust Wallet
• Password managers: Bitwarden, 1Password, LastPass
• FTP clients: FileZilla, WinSCP
• Email clients: Thunderbird, Outlook
• VPN clients and remote access tools
• Cloud storage tokens
• Documents: DOC, TXT, PDF files

Stolen data is compressed into ZIP archives and exfiltrated via HTTPS POST to https://{C2}/Up/x. Later variants use encrypted endpoints at https://{C2}/enc_Up/x.

OPSEC Failures

The operator has made several mistakes that enable infrastructure tracking:

1. Single hosting provider -- All C2 on VDSINA. One abuse takedown or law enforcement request to SERVERS TECH FZCO could disrupt the entire operation.
2. Uniform server fingerprint -- Ubuntu + nginx 1.24 + self-signed TLS. Trivial to cluster on Shodan/Censys.
3. Hostname pattern -- v######.hosted-by-vdsina.com links every server.
4. UUID reuse -- The config download path contains f1575b64-8492-4e8b-b102-4d26e8c70371, reused across campaigns.
5. Searchable DDR marker -- 3e3 aHR0cHM is findable on Steam Community.

Campaign Timeline

Date	Event
2025 Q1	ACRStealer distribution volume increases (ASEC reporting)
2025 Q2	ASEC publishes DDR analysis; Google Docs/Steam exploitation documented
2025 H2	Rebrand to AmateraStealer; MaaS pricing introduced
2026-02-07	Earliest sample in current campaign (sunwukongs.exe, stolen ASUS EV cert)
2026-02-13	python315.dll variant with Yandex Disk delivery
2026-02-20	python312.dll variants, multiple C2 IPs activated
2026-03-01	SETUP.zip + wke.dll campaign begins
2026-03-05	HijackLoader/IDATLoader cross-loading with Vidar
2026-03-07	ClickFix delivery (xfas.iso), OffLoader, Config.ps1 dropper
2026-03-08	vocals.ps1 dropper, 13 MB wke.dll variant
2026-03-09	Trojanized Chris-PC RAM Booster -- this sample

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Resource Development	Acquire Infrastructure: VPS	T1583.003	VDSINA VPS procurement (17 servers)
Resource Development	Stage Capabilities	T1608.001	Mega.nz / Yandex Disk payload hosting
Initial Access	Drive-by Compromise	T1189	ClickFix / FakeCaptcha social engineering
Initial Access	Phishing: Spearphishing Link	T1566.002	Cracked software download links
Execution	User Execution: Malicious File	T1204.002	Trojanized Chris-PC RAM Booster installer
Execution	PowerShell	T1059.001	vocals.ps1 dropper
Execution	Native API	T1106	ntdll.dll NtCreateThreadEx / NtAllocateVirtualMemory
Persistence	DLL Search Order Hijacking	T1574.001	wke.dll, python3XX.dll, CrashRpt1403.dll sideloading
Defense Evasion	Process Injection	T1055	Shellcode injection via NtAllocateVirtualMemory + NtCreateThreadEx
Defense Evasion	Obfuscated Files	T1027	3-layer encryption: XOR -> AES-256-CBC -> RC4
Defense Evasion	Masquerading	T1036	Trojanized legitimate RAM Booster installer
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Heaven's Gate WoW64 technique
Credential Access	Credentials from Password Stores	T1555	Browser, password manager, email client theft
Credential Access	Credentials from Web Browsers	T1555.003	Chrome/Firefox/Edge credential extraction
Collection	Data from Local System	T1005	Document harvesting (DOC/TXT/PDF)
Command and Control	Web Service: Dead Drop Resolver	T1102.001	Steam / Google Docs / Telegram DDR
Command and Control	Encrypted Channel	T1573.001	AES-256-CBC + RC4 C2 communication
Command and Control	Application Layer Protocol: HTTPS	T1071.001	HTTPS C2 on port 443
Exfiltration	Exfiltration Over C2 Channel	T1041	ZIP-compressed data to /Up/x endpoint

Indicators of Compromise

File Hashes

Filename / Description	SHA-256
Trojanized Chris-PC RAM Booster	e49fbf6640e8c5e9d47731ac1ddc2b7e6711df3b22e851220ec2f6a5ce8d6ecb
vocals.ps1 (PowerShell dropper)	053c866e69cc9f52407c8c8b449365d98765e66751c60b96f93452b2c87f4378
wke.dll (DLL sideload, 13 MB)	c4627fbcce87136d2ec6fdb876b8c4496d7f25411d2c24860ba1ec0f8f39e916
CoreHubManager.exe (.NET loader)	e56b327e9a139e1327c266d010d6df2d77fd822d8c6fb7fdec25aab38ed864e8

C2 IP Addresses

# Active (HTTPS on 443)
144.124.246.132
144.124.233.47
212.118.41.180
146.103.104.188

# Active (alternate)
45.150.34.0

# Offline / SSH-only / Dark
46.149.72.226
46.149.76.78
46.149.72.66
146.103.103.78
146.103.109.239
144.124.236.99
193.33.195.37
94.26.106.216
77.91.96.209
77.238.228.60
91.84.123.250
212.34.155.34

C2 URL Patterns

hxxps://{C2}/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371
hxxps://{C2}/Up/x
hxxps://{C2}/enc_ujs/{UUID}
hxxps://{C2}/enc_Up/x

Delivery Infrastructure

iksdvnutr[.]it[.]com  (Cloudflare, redirects to Mega.nz)
mega[.]nz/file/LzZgQbxS#...
disk[.]yandex[.]ru/d/lsH9EXe7e6SDtA

Encryption Keys

# PowerShell XOR (Layer 1)
Key: b8dd28a22237f586888c363c22c4da3c (16 bytes)

# AES-256-CBC Shellcode (Layer 2)
Key: f45bfb93c374b5058228e2866df29df73361db650a0c8602212d8df2a49331ad
IV:  b99b7a6f02634caf51782a19a203ba90

# RC4 C2 Config (Layer 3)
Key: 852149723\x00 (10 bytes including null)

# AES-256-CBC C2 Comms (Later Variants)
Key: 7640FED98A53856641763683163F4127B9FC00F9A788773C00EE1F2634CEC82F
IV:  55555555555555555555555555555555

Behavioral Indicators

# DLL sideloading names
wke.dll
python311.dll
python312.dll
python315.dll
CrashRpt1403.dll
verification.google

# Temp file artifact
%TEMP%\MWxobNWR.log

# DDR marker (Steam / Google / Telegram)
3e3 aHR0cHM

# C2 config UUID (reused across campaigns)
f1575b64-8492-4e8b-b102-4d26e8c70371

Detection Opportunities

YARA Rules

rule ACRStealer_CoreHubManager_Loader {
    meta:
        description = "Detects ACRStealer .NET loader CoreHubManager with AES-256 shellcode"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "CRITICAL"
        reference = "https://intel.breakglass.tech"
    strings:
        $class1 = "CoreHubManager" ascii wide
        $class2 = "DecryptShellcode" ascii wide
        $class3 = "EncryptedShellcode" ascii wide
        $junk = "JunkData" ascii wide
        $nt1 = "NtAllocateVirtualMemory" ascii
        $nt2 = "NtCreateThreadEx" ascii
        $nt3 = "NtWaitForSingleObject" ascii
        $aes_key = { f4 5b fb 93 c3 74 b5 05 82 28 e2 86 6d f2 9d f7 }
    condition:
        uint16(0) == 0x5A4D and
        (2 of ($class*) or ($junk and 2 of ($nt*)) or $aes_key)
}

rule ACRStealer_Vocals_PS1_Dropper {
    meta:
        description = "Detects ACRStealer vocals.ps1 XOR-encrypted PowerShell dropper (16-byte key)"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
    strings:
        $xor_key = { b8 dd 28 a2 22 37 f5 86 88 8c 36 3c 22 c4 da 3c }
        $b64_key = "uN0ooiI39YaIjDY8IsTaPA==" ascii wide
        $syswow = "SysWOW64" ascii wide nocase
    condition:
        $xor_key or ($b64_key and $syswow)
}

rule ACRStealer_DLL_Sideload_WKE {
    meta:
        description = "Detects ACRStealer wke.dll sideloading payload (inflated variant)"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        tlp = "TLP:CLEAR"
        severity = "HIGH"
    strings:
        $imphash_marker = "wke.dll" ascii wide nocase
        $rc4_key = "852149723" ascii
        $uuid = "f1575b64-8492-4e8b-b102-4d26e8c70371" ascii
        $ddr_marker = "3e3 aHR0cHM" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        filesize > 10MB and
        2 of them
}

Suricata/Snort Rules

# ACRStealer C2 — VDSINA infrastructure (active servers)
alert tls any any -> [144.124.246.132,144.124.233.47,212.118.41.180,146.103.104.188] 443 \
  (msg:"ACRSTEALER-MAR9 C2 VDSINA Self-Signed TLS"; tls.cert_subject; content:"CN="; \
  flow:established,to_server; sid:2026030901; rev:1;)

# ACRStealer C2 — Config download path with reused UUID
alert http any any -> any 443 (msg:"ACRSTEALER C2 Config Download UUID"; \
  content:"/ujs/f1575b64-8492-4e8b-b102-4d26e8c70371"; http_uri; \
  flow:established,to_server; sid:2026030902; rev:1;)

# ACRStealer C2 — Data exfiltration endpoint
alert http any any -> any 443 (msg:"ACRSTEALER C2 Exfiltration Endpoint"; \
  content:"/Up/x"; http_uri; content:"POST"; http_method; \
  flow:established,to_server; sid:2026030903; rev:1;)

# ACRStealer — DDR resolution via Steam Community
alert http any any -> any any (msg:"ACRSTEALER Dead Drop Resolver Steam Lookup"; \
  content:"steamcommunity.com"; http_host; content:"profiles"; http_uri; \
  flow:established,to_server; sid:2026030904; rev:1;)

Endpoint Hunting Queries

Sysmon / Windows Event Log:

# DLL sideloading from user-writable directories
EventID=7 AND (ImageLoaded CONTAINS "wke.dll" OR ImageLoaded CONTAINS "python311.dll"
  OR ImageLoaded CONTAINS "python312.dll" OR ImageLoaded CONTAINS "python315.dll"
  OR ImageLoaded CONTAINS "CrashRpt1403.dll" OR ImageLoaded CONTAINS "verification.google")
  AND NOT ImageLoaded STARTS WITH "C:\Program Files"

# ntdll native API injection pattern
EventID=10 AND TargetImage CONTAINS "ntdll.dll"
  AND CallTrace CONTAINS "NtAllocateVirtualMemory"

# Temp artifact
EventID=11 AND TargetFilename CONTAINS "MWxobNWR.log"

# PowerShell forcing SysWOW64 execution
EventID=1 AND CommandLine CONTAINS "SysWOW64" AND CommandLine CONTAINS "powershell"

VDSINA Infrastructure Monitoring

Query Shodan or Censys for the VDSINA C2 fingerprint:

# Shodan
ssl.cert.issuer.cn:"self-signed" org:"SERVERS TECH FZCO" port:443 product:"nginx/1.24.0"

# Censys
services.tls.certificates.leaf.issuer.common_name: /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/ AND
autonomous_system.name: "SERVERS TECH FZCO" AND services.port: 443

---

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. CAPE Sandbox analysis #56842. 50+ MalwareBazaar samples correlated. 17 C2 IPs mapped to single hosting provider. This is our second report on ACRStealer/AmateraStealer -- read the first report for analysis of the stolen ASUSTeK EV certificate, Go-based "continental" loader, and verification.google DLL. Classification: TLP:CLEAR