Full Report
The Acreed malware, which emerged earlier this year, is gaining ground with cybercriminals who otherwise might have used the Lumma infostealer, researchers said.
Analysis Summary
# Threat Actor: Acreed (Emerging Threat Actor)
## Attribution & Identity
Acreed is a newly emerged malware currently gaining significant traction in the Russian cybercriminal market, poised to replace the disrupted Lumma stealer. Specific developer attribution is currently unknown ("little is known about its developers").
## Activity Summary
Acreed has rapidly established itself in the Russian infostealer market, becoming the second most prevalent stealer in Q1 2025, trailing only the recently disrupted Lumma. It is projected to become the primary infostealer in the region following the law enforcement crackdown on Lumma in May.
## Tactics, Techniques & Procedures
- Targets Windows operating systems.
- Harvests login credentials, browser cookies, and cryptocurrency wallets.
- Specifically extracts data from major web browsers (Chrome, Firefox, Edge).
- Steals usernames and passwords for social media, email services, streaming platforms, and local network access credentials.
## Targeting
- Sectors: Airlines, hospitals, government agencies, and banks (based on historical targeting patterns of the actor/malware it is replacing—Lumma).
- Geography: Primarily noted within the Russian cybercriminal market context.
- Victims: General users whose systems are infected for credential harvesting.
## Tools & Infrastructure
- Malware families used: Acreed (Infostealer).
- Infrastructure (C2, domains, IPs): No specific infrastructure details provided for Acreed in this context. (Note: While Lumma infra was seized, no specific details for Acreed are provided.)
## Implications
Acreed's rapid rise indicates a robust and high-demand market for accessible infostealers in the Russian ecosystem. Its emergence suggests that threat actors displaced by the Lumma takedown are quickly adopting viable, easy-to-use alternatives, ensuring the continued exfiltration of sensitive data. Logs ("Acreed logs") are cheap and readily tradable (as low as $2).
## Mitigations
- Implement strong multi-factor authentication across all critical services (especially email, financial, and social media).
- Update and patch operating systems and web browsers regularly.
- Utilize endpoint detection and response (EDR) solutions capable of detecting unauthorized credential harvesting and data staging.
- Be vigilant regarding phishing attempts that could lead to the initial infection vector.