Update: ACRStealer Evolves into AmateraStealer with Advanced Evasion and C2 Techniques
ACRStealer, an information-stealing malware that has been active since 2024, underwent significant enhancements in 2025, including upgrades to its stealth and command-and-control (C2) capabilities. Noted initially for abusing services like Google Docs and Steam via Dead Drop Resolver (DDR), the malware retains its core functionality of exfiltrating credentials, documents, and data from browsers, wallets, and remote access tools. Recent variants integrate "Heaven’s Gate" to execute 64-bit code in 32-bit processes, a known anti-analysis tactic. The use of direct interactions with the Ancillary Function Driver (AFD) via NT functions, such as NtCreateFile, replaces traditional libraries like WinHTTP, thereby bypassing detection mechanisms. Additionally, the malware embeds legitimate-looking hostnames in HTTP headers to mislead monitoring tools and obscure true malicious destinations. Further obfuscation includes the use of open-source NTSockets for stealthy network traffic and AES-256 encrypted payloads with hardcoded keys layered over RC4 and Base64 encoding. New variants leverage self-signed HTTPS certificates and dynamic POST-based configuration exchanges, replacing static paths with randomized strings. These improvements reduce pattern-based detections, allowing ACRStealer—now dubbed AmateraStealer—to persist across diverse environments. Older CloudFlare dependencies have been replaced with custom infrastructure, reinforcing its independence and resilience. Proofpoint and AhnLab analysts warn that the malware’s modularity and ongoing evolution position it as a significant threat in the infostealer landscape.
China-Nexus APT Targets Tibetan Community in Campaigns
Zscaler ThreatLabz, in collaboration with TibCERT, exposed two coordinated campaigns—Operation GhostChat and Operation PhantomPrayers—linked with high confidence to a Chinese state-aligned APT group. Timed around the Dalai Lama’s 90th birthday, the campaigns exploited increased digital engagement by compromising legitimate Tibetan websites, such as tibetfund[.]org, and injecting malicious redirects to attacker-controlled subdomains. Victims were tricked into downloading trojanized applications themed around cultural and religious activities, triggering multi-stage infection chains that delivered either Ghost RAT or PhantomNet malware. These backdoors enabled full-spectrum surveillance, supporting remote command execution, file manipulation, keylogging, screen capture, and audio/video collection on Windows hosts. The campaigns employed advanced evasion methods, including DLL sideloading, shellcode injection, and low-level API abuse, to bypass modern EDR and antivirus systems. Technical overlaps in TTPs and toolkits tie the activity to previously documented Chinese groups like TA428, known for targeting ethnic minorities and dissident networks. In Operation GhostChat, victims were redirected to a counterfeit Element messaging site, where a ZIP file containing a legitimate Element[.]exe sideloaded a malicious ffmpeg[.]dll to execute a reflective loader. This loader utilized dynamically resolved APIs and manual mapping of ntdll.dll to evade user-mode hooks and inject shellcode into ImagingDevices[.]exe, which subsequently launched Ghost RAT via a second-stage payload. Operation PhantomPrayers employed similar tactics, utilizing a fake PyQT-based “Dalai Lama Check-in” application that sideloaded malware via VLC media player binaries and maintained persistence through Windows Startup shortcuts. The Stage-1 loader decrypted a dual-layer encrypted shellcode chain (RC4 and AES-128-CBC), ultimately delivering the PhantomNet backdoor, which communicated over encrypted TCP channels using modular DLL plugins. These plugins enabled timed operations, credential theft, and system enumeration, while the malware's communication protocols and infrastructure reflected past use in Operation SignSight. The operations highlight the continued abuse of cultural events and trusted platforms for cyber espionage, reinforcing the importance of digital hygiene and targeted threat monitoring in diaspora communities.
Stealth Backdoor Abuses WordPress Mu-Plugins for Persistent Admin Control
Researchers from Sucuri have uncovered a stealth backdoor targeting WordPress installations by exploiting the must-use (mu-) plugins directory. These plugins, automatically activated and hidden from the admin plugin interface, provide an ideal vector for persistent, covert access. The attacker uses a PHP loader named wp-index[.]php placed in wp-content/mu-plugins to fetch a second-stage payload stored under the wp_options table, using ROT13 obfuscation to disguise its URL. Once retrieved, the payload is executed on disk, granting the attacker remote code execution capabilities. A hidden file manager is also dropped into the theme directory as pricing-table-3[.]php, and a malicious plugin is activated to support ongoing compromise. To ensure continued access, the attacker creates an admin account named officialwp and forcibly resets common admin passwords to a preset value. This backdoor architecture enables attackers to maintain complete control, block legitimate administrative access, and execute a range of malicious actions, including file manipulation, data theft, malware propagation, and website defacement. Notably, the malware can reinstate itself even after removal attempts and dynamically inject content, allowing attackers to modify behavior on demand. The combination of mu-plugin stealth, database persistence, and theme-level file injections makes this threat difficult to detect using standard WordPress security measures. The abuse of legitimate WordPress mechanisms also helps the attacker blend in with normal site operations. To defend against these tactics, administrators should regularly update all components, use two-factor authentication, and thoroughly audit plugin, theme, and mu-plugin directories. Proactive detection of unauthorized admin accounts and suspicious file activity is essential to mitigate long-term compromise.
Amazon Q VS Code Extension Compromised by Malicious Contribution
An unknown malicious actor successfully injected a destructive system prompt into version 1.84.0 of Amazon’s Q extension for Visual Studio Code, which was subsequently published through official AWS channels and distributed to end-users. The embedded instructions told the AI assistant to behave like a system cleaner, with directives to delete local files, cloud resources, and AWS user profiles by issuing command-line operations. The attacker reportedly submitted a pull request using an unverified GitHub account and was mistakenly granted administrative access, enabling them to introduce the prompt into the project’s codebase. Amazon released the compromised version on July 17, 2025, and silently replaced it with version 1.85 once the issue was discovered on July 18, but not before users were potentially exposed. AWS has stated that no customer resources were affected and claimed that both the SDK and Visual Studio Code repositories were fully remediated. However, the attacker's statement to 404 Media revealed the payload was intended to protest Amazon’s lax AI security posture, suggesting more damaging code could have been deployed. This incident underscores significant gaps in DevSecOps maturity for AI-enabled developer tools, particularly when integrating open-source workflows into critical enterprise environments. Experts warn that AI agents with access to system-level operations must be governed by strict review processes, continuous monitoring, and immutable release pipelines to detect unauthorized changes. Analysts such as Sunil Varkey and Sakshi Grover highlight the growing threat of model manipulation and prompt injection, advocating for AI-specific threat modeling within CI/CD systems. The malicious prompt exploited a blind spot in contribution governance, where the injected behavior altered how the AI assistant interpreted commands without modifying its underlying code logic. Recommendations include implementing anomaly detection for behavioral drift, enforcing least-privilege permissions for all contributors, and maintaining detailed audit trails for pull requests and runtime behavior. This breach serves as a critical lesson for enterprises adopting generative AI: without robust oversight and layered protections, trusted AI tools can become robust vectors for supply chain compromise.
