>_|
BreakglassIntelligence
< Back to blog
highπŸ”‘Stealer
publishedMarch 12, 2026

Inside ACRStealer's Telegraph Dead Drop and the C2 Farm Behind It

50 samples in 10 days, a Telegram-hosted dead drop resolver, and an 11-server C2 cluster hiding in a single /24 in Frankfurt

Threat Actors:ProfileAssessment
#stealer#clickfix#lumma#apt#rat#dll-sideloading#c2#ppi#vidar#telegram#sideloading

The C2 address is not in the binary. It is on a Telegraph blog post titled "Jewel," authored by someone calling themselves Maisie Lees, published March 6, 2026. Buried in what looks like JavaScript code on the page is the string NDUuOS4xMjIuMTI1 -- base64 for 45.9.122.125.

That is ACRStealer's dead drop resolver in action, and it is just the beginning of what we found.

The Dead Drop

Dead Drop Resolvers (DDR) are an increasingly popular C2 obfuscation technique. Instead of hardcoding a C2 address in the malware binary -- where any analyst with strings or a hex editor can find it -- the malware fetches it from a legitimate service. Previous ACRStealer variants used Google Docs, Google Slides, Google Forms, and Steam community pages.

This variant uses Telegram's Telegraph blogging platform at telegra[.]ph. The execution flow:

  1. Malware sends HTTP GET to hxxps://telegra[.]ph/Jewel-03-06
  2. Telegraph returns the page content (hosted on Telegram CDN at 149.154.164.13)
  3. Malware extracts the base64 string embedded in fake JavaScript
  4. Decodes to 45.9.122.125
  5. Begins HTTPS POST exfiltration to the real C2

The beauty of this approach: Telegraph is a legitimate Telegram service. Blocking telegra.ph at the enterprise level breaks real workflows. The page itself looks innocuous. And if the C2 gets burned, the operator just edits the Telegraph page to point to a new IP -- no need to recompile the malware.

50 Samples, 6 Delivery Methods

We identified 50 ACRStealer samples submitted to MalwareBazaar in a 10-day window (March 1-11, 2026). The delivery diversity is striking:

  • DLL Sideloading -- the most common vector. ZIPs containing a legitimate executable alongside a malicious DLL named verification.google, wke.dll, python3xx.dll, or CrashRpt1403.dll
  • ClickFix / FakeCaptcha -- fake browser CAPTCHA pages that trick users into running PowerShell commands
  • PowerShell Droppers -- scripts like vocals.ps1 that download and execute the DLL
  • ISO Images -- disk images containing the sideloading pair
  • MSI Installers -- Windows installer packages
  • HTA Droppers -- HTML Applications executing the payload chain

The internal DLL names follow a distinctive pattern: [english_word][two_digits].dll -- ceiling61.dll, fan58.dll, seats76.dll, fed15.dll, movement42.dll, mine27.dll. This is likely an automated build system generating unique filenames per campaign wave.

The C2 Farm

When we scanned the /24 subnet around the C2 IP, the picture got much bigger. Eleven servers in 45.9.122.120-130 share an identical configuration: nginx 1.24.0, MySQL 8.0 exposed on port 3306, Ubuntu Linux, OpenSSH. Every one of them hosts DGA-style domains registered through Namecheap.

IPDomainCreated
45.9.122.120lepupufutozikinenupela[.]online2026-01-12
45.9.122.121rqzjzs[.]com2026-01-05
45.9.122.123palumbocars[.]com2026-01-05
45.9.122.124chomioritic[.]com2026-01-05
45.9.122.125dynamitewalrus[.]com2026-01-05
45.9.122.126leriminulaliniluxi[.]online2026-01-12
45.9.122.127zafuxavaponilevuzoli[.]online2026-01-12
45.9.122.128lokimanonumuzu[.]online2026-01-12
45.9.122.129lononikezozefafekaliku[.]online2026-01-12

The .com domains were all registered within seconds of each other on January 5. The .online domains were batch-registered on January 12. Same Namecheap account, same registration pattern. This is a stealer C2 farm -- provisioned in bulk, operated at scale.

Monthly Domain Rotation

The primary C2 at 45.9.122.125 has cycled through five domains, one registered per month:

DomainRegistered
pinokyotoy[.]com2025-08-11
shoptipsycrow[.]com2025-09-19
haloofpower[.]com2025-10-24
try-super-calm[.]com2025-11-21
dynamitewalrus[.]com2026-01-05

The rotation is predictable. Each domain lasts roughly a month. All registered via Namecheap. All resolve to the same IP. This operational pattern makes future domain registrations somewhat predictable for proactive blocking.

The Hosting Stack

The C2 infrastructure sits on RapidSeedbox Ltd (AS57043), a Seychelles-registered shell company that resells from Leaseweb Deutschland GmbH (AS28753) in Frankfurt, Germany. Secondary infrastructure uses VDSina (SERVERS TECH FZCO, UAE -- a Russian-origin VPS provider) and GIR Network (GLOBAL INTERNET SOLUTIONS LLC, Russia) for staging and delivery servers.

The C2 server at 45.9.122.125 only responds to POST requests on port 443. Send a GET and you get HTTP 405. This is a POST-only exfiltration endpoint -- all it does is receive stolen data. MySQL on port 3306 is exposed on every server in the cluster, presumably serving as the backend for victim data storage.

Russian Operator Fingerprints

A filename artifact gives away the operator language: acr-karimichikstrelyaet-639081475329420.exe. The string "karimichik strelyaet" translates from Russian as "karimichik shoots." Combined with the GIR Network (Russian) staging servers, VDSina (Russian-origin) delivery infrastructure, and cross-family links to Vidar and LummaC2 (both Russian-origin stealers), the operator profile points clearly to the Russian-speaking cybercrime ecosystem.

What It Steals

ACRStealer targets a comprehensive list: Chrome, Firefox, Edge, Opera, Brave, and Vivaldi browser data (logins, cookies, history, autofill, credit cards); crypto wallets (MetaMask, Exodus, Electrum, Binance); FTP clients (FileZilla, WinSCP); email (Outlook, Thunderbird); VPN configs (NordVPN, OpenVPN, ProtonVPN); password managers (KeePass, Bitwarden, LastPass); and chat apps (Telegram, Discord, Signal). It also grabs PuTTY, MobaXterm, and Windows Terminal credentials.

Key IOCs

Dead Drop Resolver:

hxxps://telegra[.]ph/Jewel-03-06

Primary C2:

45[.]9[.]122[.]125:443 (POST only)

C2 Domains:

dynamitewalrus[.]com
try-super-calm[.]com
haloofpower[.]com
shoptipsycrow[.]com
pinokyotoy[.]com

Primary Sample:

SHA256: 22cb1ac28554ec947f5fc5b9cf5ab3d84a83a00b942b62c685cb38c9d99b533a
MD5:    d87b2fa27f99acc9d728b5c799462abc
Imphash: 84b9db404799c341d63eda0b3ec865fa

DLL Pattern: [word][number].dll loaded via rundll32.exe [name].dll,#1

Detection Guidance

  1. Network: Monitor DNS queries for telegra.ph followed by HTTPS POST traffic to IPs outside Telegram's ASN. This sequence -- resolve Telegraph, then POST to an unrelated server -- is a strong behavioral indicator of DDR-based C2.
  2. Firewall: Block the entire 45.9.122.120/28 range. The whole cluster is hostile.
  3. Endpoint: Hunt for rundll32.exe loading DLLs matching [a-z]+[0-9]{2}\.dll from user-writable directories (Downloads, Temp, AppData).
  4. DLL Sideloading: Alert on legitimate executables loading unsigned DLLs from the same directory, especially with names like verification.google or shell32.dll outside System32.
  5. Abuse Reporting: Report the Telegraph DDR page to Telegram (dmca@telegram.org). Report C2 domains to Namecheap (abuse@namecheap.com). The exposed MySQL ports on every C2 server are a gift for law enforcement.

ACRStealer's operators have built industrial-scale infrastructure -- 11 servers, monthly domain rotation, 50 samples in 10 days across six delivery methods. But their OPSEC failures (single Namecheap account, batch registration timestamps, Russian language artifacts, exposed databases) mean this infrastructure is eminently trackable. The question is not whether it can be mapped, but whether anyone acts on the mapping before the next rotation.

Share: