Acreed Infostealer – Everything We Know So Far

Infostealers and the stealer logs they produce continue to pose a significant risk to individuals and organizations alike. The malware is designed to extract sensitive credentials such as passwords, wallets, and device information, which is later distributed as a stealer log across Telegram channels, datastores and dark web forums alike.

Through our constant monitoring of the deep and dark web, we identified a a previously undocumented infostealer. This new infostealer is distributing uniquely structured logs on the popular datastore Russian Market.

This blog provides an analysis of the stealer log extracted by this infostealer, while trying to focus on the information leaked and identifying compromised systems.

Name: Acreed

First emergence: February 10th, 2025

We first detected this stealer on the datastore Russian Market, where over the course of about a week over 4k logs were uploaded to the website. It seems as if this infostealer targets Windows systems.

Logs structure:

Like most infostealers, Acreed seeks to extract user information, cookies, passwords, wallets and more. Unlike other stealer log files, this stealer provides a JSON file that outlines the amount of files gathered from each type:  

The stealer log itself contains a few JSON files and folders. Among them are the pc_info.json file which details the main information about the infected device, a password.text file containing URL, logins and passwords and a folder containing cookie files.

Compromised data 

From the observed samples, this infostealer extracts detailed system information including HWID, device and network IPs, username, as well as installed software and their version. The stealer log also provides an indication if the user has admin permissions, which can drastically increase the severity of the incident. 

We also observed stolen credentials from almost all of the major browsers like Chrome, Edge and Firefox. The password files contain usernames and passwords from social media sites, email providers, steaming services and more. On top of that this file contains local network credentials, allowing deeper network access, as well as a possible synchronization with a mobile device due to the presence of android related credentials. Furthermore, cookies were also extracted from said browsers across various different types of websites such as Google and Microsoft services. 

Both the cookies and passwords can be used maliciously to abuse online payments, gain unauthorized access to accounts, and ultimately, account takeover. 

While the samples themselves were quite scarce, we can deduce from the log_info file provided in the log that the malware does have the potential to extract additional data such as wallets and credit cards.

What can you do about it?

The infostealer threat is greater than ever. While we have covered the top infostealers before, it is undeniable that new malware enters the field frequently. Without proper monitoring of the latest threats, your information might be exposed in an easily accessible stealer log and abused to execute attacks.

This risk can be minimized by using a dark web monitoring tool like Lunar, and actively using the data provided to mitigate the threat. To ensure maximum security for you and your data, enhance general security measures and increase awareness of scam messages and phishing.