A newly identified malware variant dubbed ACRStealer has been observed leveraging Google Docs as a command-and-control (C2) server to bypass traditional security defenses and harvest sensitive login credentials. Enterprise security teams are advised to monitor Google Drive API activity for anomalous document accesses, particularly requests targeting documents with randomized or nonsensical titles. As traditional security tools struggle to flag abuse of platforms like Google Docs, proactive threat-hunting and user education remain critical defenses. Unlike conventional C2 servers hosted on suspicious domains, the malware uses Google Docs’ API to communicate with attacker-controlled documents, making network traffic appear legitimate. As of February 21, 2025, Google has revoked access to 43 compromised documents linked to ACRStealer, but researchers warn that copycat campaigns are likely imminent. Researchers at ASEC confirmed that the stolen data—including passwords, cookies, and authentication tokens—is exfiltrated via Google Forms submissions masked as routine user activity. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware operates by embedding malicious scripts within seemingly benign documents shared via Google Drive.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 21 Feb 2025 16:00:17 +0000