Acreed Infostealer in 2026: From Emerging Threat to Market Leader

Key Takeaways

• Acreed stealer has evolved from a specialized infostealer in early 2025 to one of the most widely used credential theft tools on Russian Market and other dark web platforms in 2026.
• Acreed malware combines stealthy C2 infrastructure over Steam and the BNB Smart Chain with JSON-based exfiltration and DLL side-loading to evade traditional detection and forensic tracing.
• By aggressively targeting SaaS and SSO credentials, Acreed enables rapid, large-scale account takeover and MFA bypass across Microsoft 365, Google, AWS, Azure, Salesforce and other cloud services.
• The LummaC2 takedown in May 2025 created a power vacuum in the infostealer landscape that Acreed quickly filled, becoming a market leader in infostealer logs by mid‑2026.

Infostealers and the stealer logs they produce continue to pose a significant risk to individuals and organizations alike. The malware is designed to extract sensitive credentials such as passwords, wallets, and device information, which is later distributed as a stealer log across Telegram channels, datastores and dark web forums alike.​

Through constant monitoring of the deep and dark web, we identified a previously undocumented infostealer whose logs first appeared on the popular datastore Russian Market: Acreed. This blog provides an analysis of the stealer log extracted by this infostealer, while focusing on the information leaked and identifying compromised systems.

We first detected this stealer on the datastore Russian Market. Over the course of about a week, more than 4,000 logs were uploaded to the website, primarily from Windows systems. Since then, Acreed has transformed from an emerging threat to a dominant player in the infostealer ecosystem, especially after the disruption of LummaC2’s infrastructure in May 2025.

Like most infostealers, Acreed seeks to extract user information, cookies, passwords, wallets and more. Unlike many traditional stealer log files, Acreed often provides a JSON file that outlines the number of files gathered from each type, giving threat actors a quick overview of the value of each log.

The stealer log itself typically contains several JSON files and folders. Among them are the pc_info.json file which details the main information about the infected device, a password.txt file containing URLs, logins and passwords, and a folder containing cookie files.​

From the observed samples, this infostealer extracts detailed system information, including HWID, device and network IPs, username, as well as installed software and their versions. The stealer log also provides an indication if the user has admin permissions, which can drastically increase the severity of the incident.

We also observed stolen credentials from almost all major browsers, like Chrome, Edge and Firefox. The password files contain usernames and passwords from social media sites, email providers, streaming services and more, as well as local network credentials and Android-related credentials that may indicate synchronization with mobile devices. Furthermore, cookies were also extracted from said browsers across various different types of websites such as Google and Microsoft services.​

Both the cookies and passwords can be used maliciously to abuse online payments, gain unauthorized access to accounts, and ultimately perform account takeovers (ATOs). While the samples themselves were initially quite scarce, subsequent analysis and third‑party reporting show that Acreed has the potential to extract additional data such as cryptocurrency wallet information, credit cards, and messaging app data.

Where Does Acreed Stand in 2026?

In 2026, Acreed has cemented itself as one of the leading infostealer strains on dark web credential markets, particularly Russian Market, where it now accounts for a significant share of stealer logs posted by threat actors. Acreed’s rise has closely tracked the disruption of Lumma Stealer (LummaC2), whose infrastructure was seized in a coordinated law enforcement operation in May 2025. (For more background on that takedown, see our dedicated analysis of the LummaC2 operation.)

Before its disruption, LummaC2 was responsible for nearly 92% of credential theft logs on Russian Market in late 2024. When more than 2,300 LummaC2 domains were seized, threat actors rapidly pivoted to Acreed, driving an exponential increase in Acreed‑branded logs over the following months. Multiple threat intelligence sources observed Acreed activity jump from dozens of logs in early 2025 to well over 100,000 logs by mid‑year, illustrating how quickly it filled the gap in the MaaS ecosystem.

Unique C2 via Steam and BNB Smart Chain

One of the most distinctive aspects of Acreed malware is its resilient command‑and‑control (C2) architecture. Instead of hard‑coded C2 domains, Acreed samples use a mechanism in which C2 information is stored on public platforms acting as “dead drop” resolvers, notably the Steam platform and the BNB Smart Chain Testnet.

Researchers have documented Acreed retrieving encrypted C2 domain data from smart contracts on the BNB Smart Chain and from Steam community profile pages, then decrypting these values at runtime using XOR keys embedded in the malware. This design makes static blocking of known C2 domains far less effective and complicates attribution, since the C2 endpoints can be rotated or updated without redeploying the malware.

In addition, Acreed’s infection chain has been observed leveraging loaders, such as ShadowLoader, and abusing legitimate components like WebView2 DLLs for side-loading, further reducing its visibility to endpoint protection tools. Combined with JSON-based exfiltration over seemingly benign channels, these characteristics make Acreed more resilient than many legacy stealers.

Targeting SaaS and SSO at Scale

What truly differentiates Acreed stealer in 2026 is its focus on SaaS and SSO credentials. Analyses of Acreed‑tagged logs show that a majority of stolen credentials are associated with SaaS platforms, with a high percentage tied to corporate SSO providers used to access multiple business-critical systems.

Acreed is optimized to harvest browser‑stored credentials and active session tokens from major cloud platforms, like Microsoft 365, Google Workspace, AWS, Azure, and Salesforce. By hijacking these tokens, Acreed enables attackers to bypass multi‑factor authentication (MFA), impersonate users, and move laterally within an organization’s cloud environment without immediately triggering login challenges.

This shift from simply stealing username/password pairs to stealing valid session tokens and SSO credentials significantly amplifies the impact of a single endpoint compromise. A single Acreed infection can translate into broad access across email, collaboration tools, CRM, source control and internal admin portals, turning stealer logs into high‑value commodities for ransomware operators and other financially motivated actors.

Defending Against Acreed Infostealer in 2026

The infostealer threat is greater than ever, and Acreed exemplifies the speed at which new families can rise to dominance when established MaaS platforms are disrupted. Without proper monitoring of the latest threats, your information might be exposed in an easily accessible stealer log and abused to execute attacks.

To reduce risk from Acreed and similar malware, organizations should:

• Strengthen endpoint controls with behavior‑based detection capable of identifying credential theft, suspicious browser data access, and DLL side-loading activity.
• Limit browser‑stored credentials, enforce password managers with enterprise policies, and tightly control access to high‑value SaaS and SSO applications.
• Monitor for compromised credentials and session tokens on dark web markets and Telegram channels, and integrate this intelligence into incident response workflows.
• Implement robust incident response playbooks specifically for compromised credentials, including forced logouts, token revocation, and rapid access review across cloud platforms.​

This risk can be minimized by using a dark web monitoring tool like Lunar and actively using the data provided to mitigate the threat. To ensure maximum security for you and your data, enhance general security measures and increase awareness of scam messages and phishing, which remain the primary infection vectors for Acreed and other infostealers.

FAQs

What makes the Acreed stealer different from other infostealers?

Acreed stands out for its resilient C2 design using Steam and the BNB Smart Chain, its focus on SaaS and SSO credentials, and its extensive use of session token theft to bypass MFA. It also favors compact, JSON‑driven logs that give actors quick insight into each victim’s value.

How does Acreed malware avoid detection?

Acreed leverages several evasion techniques, including DLL side-loading via legitimate components like WebView2, JSON-based exfiltration, and C2 domain retrieval from public platforms that blend into normal traffic. These features make static indicators less reliable and challenge traditional signature-based defenses.

What data does Acreed target?

Acreed targets browser‑stored credentials, cookies, and session tokens, along with system information such as HWID, IP addresses, and installed software. It also focuses heavily on SaaS and SSO accounts and can collect cryptocurrency wallet data, credit card information, and messaging app content when available.

How did the LummaC2 takedown affect Acreed’s growth?

The May 2025 LummaC2 takedown removed a dominant infostealer that previously accounted for the majority of logs on Russian Market. In the ensuing vacuum, threat actors quickly pivoted to Acreed, driving a rapid surge in its market share and helping it become a leading infostealer by 2026.

How can organizations detect and respond to an Acreed infection?

Detection requires behavior‑focused controls that flag unusual browser data access, token theft, and outbound connections consistent with Acreed’s C2 techniques. Once suspected, organizations should immediately revoke tokens and sessions, reset credentials, review access across key SaaS platforms, and follow structured incident response playbooks for compromised credentials.