The world of cybersecurity has a new threat on its hands, with the emergence of ACRStealer, a sophisticated malware variant that ingeniously exploits Google Docs as a command-and-control (C2) server, thereby stealing sensitive login credentials. This advanced attack method leverages the trusted reputation of Google’s services to avoid detection, representing a significant escalation in credential-theft campaigns. ACRStealer operates by embedding malicious scripts within benign-looking documents shared via Google Drive, which, once opened by the victim, activate a multi-stage payload retrieval process utilizing Google Docs’ API to communicate with attacker-controlled documents. This makes the network traffic appear legitimate, masking the malicious activities. According to cybersecurity firm ThreatSec, over 12,000 enterprise accounts across various sectors, including finance, healthcare, and e-commerce, have already been compromised by this cunning malware.
The Mechanism Behind ACRStealer
ACRStealer’s clever tactics revolve around embedding malicious scripts within innocuous-looking documents. The documents, which seem perfectly benign to the unsuspecting user, contain hidden scripts that become active once the document is opened. These scripts then initiate a multi-stage payload retrieval process via the Google Docs API, making it hard to discern the malicious activity from normal traffic. The use of Google’s API for communications with attacker-controlled documents is particularly ingenious, as it ensures that the network activity looks genuine. The hackers’ exploitation of Google’s reputation for security and reliability allows them to carry out their nefarious activities with little initial suspicion.
Once the malware is active, it retrieves and executes a malicious payload. This is done through a Python-based script that accesses and decodes a Base64-encoded payload from a specific Google Doc. The payload is then executed on the victim’s machine. What makes detection even more challenging is the use of AES-256-CBC encryption with a static initialization vector (IV). This encryption method is highly secure and complicates the reverse-engineering of the malware. However, researchers have noted that the IV is consistent across different samples of ACRStealer, potentially offering a way to identify and track the malware.
Data Exfiltration Tactics
Data exfiltration is a critical phase of any credential theft campaign, and ACRStealer handles this with equal cunning. After the malware collects the required credentials and other sensitive data, it utilizes Google Forms to send the stolen information. The data is structured into JSON-formatted submissions, which are designed to emulate legitimate browser traffic. By leveraging Google Forms’ SSL encryption, ACRStealer effectively evades most data-loss prevention systems that would otherwise flag such suspicious activities. The use of Google’s OAuth 2.0 framework for authentication and interaction with Google Docs further complicates efforts to identify the malicious activity. This approach makes the entire data exfiltration process appear as routine, normal activity.
Researchers at ASEC validated the data exfiltration method and highlighted the sophistication of these tactics. The stolen data, masked as harmless routine submissions, is sent securely, again utilizing Google’s robust security measures to evade detection. Given the high level of sophistication and the apparent ease with which ACRStealer exploited these platforms, it is clear that traditional security measures may not be sufficient to combat such advanced threats. Organizations must place increased emphasis on monitoring Google Drive API activity and scrutinizing unusual document accesses to better defend against such attacks.
Countermeasures and Ongoing Risks
In response to the detection of ACRStealer, Google has taken prompt action to mitigate the immediate threat. As of February 21, 2025, access to 43 compromised documents linked to ACRStealer has been revoked. However, cybersecurity experts warn that while this action disrupts current operations, there is a high likelihood of copycat campaigns emerging. This underscores the need for continuous vigilance and proactive threat-hunting. Organizations are also advised to enforce multi-factor authentication (MFA) for Google Workspace accounts and other critical systems.
The broader implications of ACRStealer’s methods are significant. The malware’s ability to exploit widely trusted platforms like Google Docs highlights a critical vulnerability in how such services can be leveraged for malicious purposes. Security teams must adopt enhanced security protocols, including regular user education on phishing and other social engineering tactics. These steps are crucial in building a more resilient defense against sophisticated threats. Additionally, organizations should stay updated on the latest threat intelligence to anticipate and counter evolving tactics.
A Continued Need for Vigilance
ACRStealer employs sophisticated strategies by embedding harmful scripts in seemingly harmless documents. These documents appear non-threatening to the average user but contain covert scripts that activate upon opening. This triggers a multi-stage process to retrieve the payload via the Google Docs API, making the malicious activity blend in with regular network traffic. Exploiting Google’s API is particularly clever, as it makes the network communications seem legitimate. The hackers leverage Google’s trusted reputation to avoid initial suspicion.
Once the malware is activated, it retrieves and executes a malicious payload. This process involves a Python script that accesses and decodes a Base64-encoded payload from a specified Google Doc. The payload is then run on the victim’s computer. Adding to the detection difficulty is the use of AES-256-CBC encryption with a static initialization vector (IV). This robust encryption complicates the malware’s reverse-engineering. However, researchers have found that the IV remains consistent across various ACRStealer samples, potentially helping to track and identify the malware.