ACRStealer’s Stealthy Evolution: New Variants Use Heaven’s Gate & Low-Level NTAPIs to Evade Detection

ACRStealer, a notorious information-stealing malware, has once again come under the spotlight following a series of enhancements that have significantly improved its resilience against detection and analysis. Over the past year—particularly since the beginning of 2025—its activity has markedly intensified, with recent iterations showcasing a rapid adaptation to modern defensive mechanisms.

Initially observed by experts at the AhnLab Security Intelligence Center, ACRStealer employed a tactic known as Dead Drop Resolver—a novel command-and-control technique that leverages legitimate platforms like Google Docs and Steam as communication channels. This strategy allowed threat actors to veil their malicious infrastructure behind layers of seemingly benign traffic. Yet, this was merely the beginning of its evolution—each new version of ACRStealer introduces increasingly sophisticated evasion techniques that hinder detection and obstruct forensic examination.

The core objective of ACRStealer remains unchanged: to harvest sensitive data from compromised systems. Its capabilities include the exfiltration of credentials and information from browsers, cryptocurrency wallets, email clients, FTP accounts, cloud storage, notes, password managers, databases, remote access tools, and even document files spanning formats like DOC, TXT, and PDF. However, its latest variants now possess the ability to deploy additional malware, making it especially dangerous as part of multi-stage intrusion campaigns.

One of the most striking innovations is the implementation of the Heaven’s Gate technique, which enables 64-bit code execution within WoW64 processes—traditionally reserved for 32-bit applications. This approach complicates both static and dynamic analysis while subverting signature-based antivirus mechanisms by distorting typical code execution paths.

Unlike many similar tools that rely on standard network libraries such as WinHTTP or Winsock, the latest version of ACRStealer interfaces directly with the AFD system driver, using low-level NTAPI functions like NtCreateFile and NtDeviceIoControlFile. This allows the malware to craft raw HTTP request structures manually, completely bypassing library-level monitoring and hook-based detection systems. The architectural model is heavily inspired by the open-source NTSockets project, ensuring high stealth in network communications.

To further thwart analysis, the authors of ACRStealer have begun inserting fake domain names into HTTP request headers—such as microsoft.com, avast.com, google.com, and even pentagon.com—in place of real IP addresses. This deceptive tactic misleads automated tools like VirusTotal, which may only display the spoofed domain in logs, masking the actual malicious endpoint—e.g., IP 85.208.139.75.

From a configuration standpoint, its encryption pipeline remains consistent: exfiltrated data is first Base64-encoded, then encrypted using the RC4 algorithm with a hardcoded key 852149723\x00. Communication with command-and-control servers occurs over HTTP or HTTPS, allowing the attackers to tailor connectivity to the target’s network. The latest releases also support self-signed TLS certificates, reducing reliance on public cloud services and simplifying domain rotation.

A new, fortified data exchange protocol has also been introduced, encrypting payloads using AES-256 in CBC mode with a hardcoded key and initialization vector. These encrypted messages are prefixed with enc_ in the URL, enabling the malware to distinguish between legacy and updated C2 infrastructures.

Furthermore, ACRStealer has abandoned static paths in favor of dynamically generated strings negotiated during the initial handshake with the command server. Configuration requests are now sent via POST rather than GET and formatted as structured JSON objects—obscuring traffic patterns and increasing resistance to rule-based network defenses.

The ongoing dissemination of ACRStealer’s upgraded variants underscores the escalating sophistication of cyber threats. Each new release marks a step forward in stealth, persistence, and the silent plunder of sensitive information.