Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Acreed

Acreed is an information-stealing malware family / infostealer that gained rapid traction in 2025 and is described as one of the most prevalent active infostealer services that year, commonly ranked behind Lumma and alongside Rhadamanthys, Vidar, and StealC. Reporting states Acreed was first advertised on Russian Market in February 2025 by a user named "Nu####ez," and is assessed to be a private project. It has also been described as a newer stealer that quickly surpassed many established infostealers by Q1 2025. Acreed is associated with the broader infostealer ecosystem in which stolen logs are traded on Russian-speaking forums and underground markets. One source notes Acreed has links to Vidar, but no further technical detail is provided. The content consistently characterizes Acreed as infostealing malware; however, specific collection mechanisms, supported platforms, infection chain details, and concrete IOCs are not provided in the supplied material.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Credential Access

3 techniques
T1110.004Credential StuffingEvidence1

“...test stolen credentials across multiple services, and adjust tactics based on failed attempts without human input.” / “stolen credentials could be tested against thousands of endpoints simultaneously, including corporate VPNs, SaaS providers, and cloud services…”

T1539Steal Web Session CookieEvidence1

“Attackers are using stolen session cookies to authenticate as legitimate users, bypassing traditional perimeter defenses…”

T1555Credentials from Password StoresEvidence1

“Infostealers infected 11.1 million machines in 2025, producing a stockpile of 3.3 billion stolen credentials, session cookies, cloud tokens…”

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
bank info securityNews
Jun 24, 2026
Infostealers StealC and Amadey Disrupted in Police Crackdown

An active infostealer service cited as one of the more prevalent offerings in 2025.

Read more
govinfosecurityNews
Jun 24, 2026
Infostealers StealC and Amadey Disrupted in Police Crackdown

Acreed is identified as an active infostealer service and one of the most prevalent infostealers in 2025.

Read more
help net securityNews
Mar 12, 2026
Agentic attack chains advance as infostealers flood criminal markets - Help Net Security

An infostealer listed among the most active by infected hosts in 2025.

Read more
sherpa intelligenceNews
Nov 3, 2025
What'd I Miss? InfoSec Weekend News Roundup for October 31 - November 2, 2025

A newly discovered spyware toolkit that spreads rapidly via emails disguised as genuine messages or software updates, silently installing itself on compromised machines.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.