ACR Stealer

Infostealer family written in Go, observed in signed PE32 executables that masquerade as legitimate applications via rich icon resources. First encountered in the PacketPursuit corpus on 2026-05-26. Five siblings have been analysed as of 2026-05-29, all sharing an identical build toolchain and certificate chain; C2 domains rotate per-build.

Build Stack

• Compiler: Go 1.26.2 (GOARCH=386, GOOS=windows, CGO_ENABLED=0, -trimpath=true) ^[/intel/analyses/6871848bb724a184e393a734c9de9c17c41da1f26359755696f0df40685c42f2.html]
• Signing: Authenticode-signed PE (certificate embedded in IMAGE_DIRECTORY_ENTRY_SECURITY)
• Obfuscation: Randomized Go module path (e.g., vcCgXjVCTGAvGkl, PfeYrYvazVUGgZq); randomized function names in the main package; no external packer (entropy ~6.19 in .text)
• Resources: .rsrc section contains multiple icons up to 256×256 PNG, used for social-engineering masquerade

See golang-stealer-build-pattern for the full build-pattern concept.

Deploy / TTPs

• Execution: Seed PRNG with current time to decode runtime-decoded C2 strings ^[/intel/analyses/6871848bb724a184e393a734c9de9c17c41da1f26359755696f0df40685c42f2.html] ^[/intel/analyses/c577c6c87bd8a143598000e63d53c8e09b4f7d7a8b8c5de36f7479b5f4411274.html]
• Network: Contacts C2 via direct IP (5.252.155.72) and domain (laserlogdnsop.icu) over TLS/HTTP (implied by crypto/tls and net/http linkage)
• Collection: Targets browser credential stores, cryptocurrency wallets, and FTP/SSH credentials (family naming convention; no static confirmation in these specific samples)
• Exfiltration: POSTs collected data to C2 endpoints (inferred from standard Go library linkage and family behaviour)

Capabilities

• runtime-randomized-c2-decoding
• tls-https-c2-client
• browser-credential-dumping
• cryptocurrency-wallet-targeting
• ftp-ssh-credential-theft
• signed-pe-masquerade
• resource-icon-social-engineering
• prng-seeded-string-decode
• go-static-binary-no-cgo
• custom-in-memory-pe-parser
• multi-pass-byte-transform-decoder
• reflective-loader-goroutine

Variants / Aliases

• OpenCTI labels: acrstealer, laserlogdnsop-icu, flur-constzoo-surf

Notable Analyses

• /intel/analyses/6871848bb724a184e393a734c9de9c17c41da1f26359755696f0df40685c42f2.html — Signed Go 1.26.2 PE32, randomized module path vcCgXjVCTGAvGkl, C2 5.252.155.72 / laserlogdnsop.icu
• /intel/analyses/c577c6c87bd8a143598000e63d53c8e09b4f7d7a8b8c5de36f7479b5f4411274.html — Sibling build, identical toolchain, module PfeYrYvazVUGgZq, same C2 infrastructure
• /intel/analyses/16a4344dcdb51bd043a360dd954bbee9ed5d497dce177e3114740598cc90d78b.html — Third sibling, module hlHtIOAoWQhvCrI, cert CN=me.muz.li / issuer CN=R13, same C2
• /intel/analyses/d5655568fee9c610139d41d367afc74e768e1c8baf70e37912e9ebeb27b5d411.html — Fourth sibling, module JPYhJIzovpOdAaG, same cert CN=me.muz.li / issuer R13, adds custom PE parser and multi-pass decoder (TTPs shared with orderreshop)
• /intel/analyses/1bfebf79c24d0813eb39fec74637d52b008188812631a4f666a59fae7c0cef2c.html — Fifth sibling, module rDRsLkGEEednpRk, cert CN=me.muz.li / issuer R13, C2 domain hertzfigblob.icu (new rotation)
• /intel/analyses/f93d8d79ae62c9864e53e5abf92f5c905c358b6ac397c69418765a303947c1d1.html — Sixth sibling, module gesiimdPYMojqEh, cert CN=me.muz.li / issuer R13, stripped .rsrc section (no icon masquerade), no C2 domain in static strings
• /intel/analyses/624f52cc31cd7ae5a311c9800b619386c9fd1a45af11b4e852391699ce36d3d8.html — Seventh sibling, module yCJjClxMaPcdOeL, cert CN=me.muz.li / issuer R13, .rsrc icons intact (masquerade active), static C2 fully absent — runtime-decoded or DGA

Related

• golang-stealer-build-pattern — Common Go infostealer build artefacts