This article was originally published on ThreatChain — decentralized threat intelligence.
Your security tools might have missed this one. ACRStealer is actively targeting networks right now — here's what you need to know before it hits yours.
Picture this: you're a freelance designer, and a client sends over what looks like a Google verification plugin. The file name even says "verificationgoogle." You double-click it without a second thought. Within sixty seconds — before you've even noticed anything wrong — your saved browser passwords, cryptocurrency wallets, and cloud storage credentials are being silently packaged up and shipped to a stranger on the other side of the world.
That's ACRStealer. And it's getting better at slipping past the tools we trust to catch it.
What Is ACRStealer, Exactly?
ACRStealer is an information stealer — a type of malware whose entire job is to vacuum up your personal and financial data, then send it to attackers. Think of it like a digital pickpocket: it doesn't trash your computer or lock your files. It just quietly rifles through your pockets, grabs what's valuable, and disappears.
First spotted as a growing threat in early 2025, ACRStealer is sold as a service on underground forums. That means the person who built it isn't necessarily the person using it. Anyone willing to pay a subscription fee gets access to a slick dashboard and a ready-made stealing tool. This "malware-as-a-service" model is exactly why ACRStealer keeps showing up in new campaigns — there are many customers.
What makes the sample we're looking at today especially interesting is how sneaky it is.
This Sample: Hiding in Plain Sight
ThreatChain recently flagged a file called verificationgoogle.dll — a name carefully chosen to look like something legitimate from Google. Here are the details:
| Detail | Value |
|---|---|
| File name | verificationgoogle.dll |
| Also seen as |
WSCPlugin.dll, verification.google, yee85erl.exe
|
| Type | Windows 64-bit DLL (a shared code library that other programs can load) |
| Size | ~3.4 MB |
| First seen | April 7, 2026 |
| SHA-256 | de5691a05fff72c33b1a67cab94f0ce24a712fdf46e71d2cbd47bc76b634f54d |
| Detection rate | 15 out of 75 antivirus engines flagged it |
That last number is the headline: only 20% of antivirus scanners caught it. Several well-known security tools — including at least one sandbox environment — initially returned a verdict of "clean" or "no threats detected." The malware was specifically designed to dodge automated analysis.
How It Works (Without the Jargon)
Let's walk through what this file actually does, step by step.
1. The Disguise
The file pretends to be a DLL — a type of Windows helper file that legitimate programs load all the time. By naming itself after Google verification or a "WSC Plugin" (WSC stands for Windows Security Center), it's betting that neither you nor your security tools will look twice. It's like a burglar wearing a FedEx uniform: people hold the door open for them.
2. Anti-Analysis Tricks
This sample is packed with techniques to detect when it's being watched. Security researchers often run suspicious files inside a "sandbox" — a virtual padded room where malware can't do real damage. This ACRStealer variant checks whether a debugger is attached (a debugger is a tool researchers use to step through code line by line). If it senses it's being analyzed, it behaves itself. It only goes to work when it believes it's running on a real victim's machine.
Think of it like a con artist who acts perfectly normal whenever a police officer is watching but goes back to pickpocketing the moment the cop turns the corner.
3. Written in Go
Here's a technical wrinkle that matters: this sample is written in Go (also called Golang), a programming language created by Google. Most Windows malware is written in C or C++. Go is unusual — and that's exactly the point. Security tools that are excellent at analyzing C-based malware can struggle with Go binaries. The code structure looks different, the file is larger, and automated detection rules often don't apply cleanly.
It's an increasingly popular trick. Attackers get a kind of camouflage just by choosing an unexpected programming language.
4. Phone Home
Once running, ACRStealer connects to a command-and-control server — the attacker's remote control panel. This is where it receives instructions and sends your stolen data. Some ACRStealer variants are known for a clever twist here: instead of hard-coding a server address (which defenders can block), they hide the real address inside posts on legitimate platforms like Google Docs or Steam community pages. This technique is called "dead drop resolving" — the malware visits a public webpage to pick up its instructions, like a spy checking a dead drop location in a park.
5. The Grab
Once active, ACRStealer typically goes after:
- Browser passwords and cookies (Chrome, Firefox, Edge — all of them)
- Cryptocurrency wallet files (Bitcoin, Ethereum, and dozens of others)
- FTP and email credentials (FileZilla, Outlook, Thunderbird)
- Two-factor authentication codes from desktop authenticator apps
- Files matching specific patterns — documents, text files, anything that might contain passwords or keys
Everything gets compressed, encrypted, and sent off. The whole process can take under a minute.
Who Should Care?
If you use a Windows computer and store passwords in your browser — which is most of us — you're a potential target. But some groups face outsized risk:
- Small businesses without dedicated IT security. A single employee opening this file could expose client data, financial accounts, and business credentials.
- Freelancers and remote workers who regularly receive files from clients and collaborators.
- Cryptocurrency holders. Stolen wallet keys mean stolen funds, and there's no bank to call for a reversal.
- Developers who might encounter this disguised as a plugin, SDK component, or verification file.
The Real-World Cost
Information stealers like ACRStealer don't just steal one password. They steal all of them — and then attackers sell that bundle on dark web marketplaces, often within hours. A single "log" (one victim's complete stolen data set) sells for anywhere from $5 to $50. Multiply that by thousands of infections, and you can see the business model.
But for the victim, the cost is far higher. Compromised bank accounts. Hijacked social media profiles. Business email accounts used to send fraudulent invoices to your own clients. The cleanup can take weeks. The reputational damage can last much longer.
What You Can Do Right Now
You don't need an enterprise security team to protect yourself. Here are five concrete steps:
Stop saving passwords in your browser. Use a dedicated password manager like Bitwarden or 1Password instead. If a stealer grabs your browser data, your password manager vault remains separate and encrypted.
Be suspicious of unexpected DLL and EXE files — especially ones with names designed to sound trustworthy like "verificationgoogle" or "WSCPlugin." If you didn't specifically go looking for it, don't run it.
Enable two-factor authentication everywhere, but prefer hardware keys (like YubiKey) or phone-based authentication apps over desktop-based ones. Stealers can grab codes from desktop authenticator apps.
Keep Windows and your antivirus updated. Yes, only 20% of scanners caught this sample initially — but that number improves quickly as detections are added. Being on the latest signatures matters.
If you run a small business, consider a DNS-level filter (like Cloudflare Gateway's free tier or Quad9). These can block connections to known malicious command-and-control servers, stopping the malware from phoning home even if it does get in.
The Bottom Line
ACRStealer isn't flashy. It doesn't splash a ransom note on your screen or make your computer unusable. That's what makes it dangerous — it steals everything quietly and moves on. The sample we examined today is particularly well-crafted: written in an unusual language, packed with anti-analysis tricks, and barely detected by most antivirus tools at the time it appeared.
The best defense isn't any single tool. It's a healthy dose of skepticism about unexpected files, good password hygiene, and keeping your systems updated. None of that costs a dime — and it makes you a much harder target.
Sample SHA-256: de5691a05fff72c33b1a67cab94f0ce24a712fdf46e71d2cbd47bc76b634f54d
Family: ACRStealer | First seen: April 7, 2026 | Origin: US
VirusTotal detection: 15/75 | Threat label: trojan.midie
If you encounter this file or similar ones, report them to your IT team or upload them to VirusTotal for analysis.
Top comments (0)