ACRStealer: The Hidden Threat Disguised as a Google Verification File

Table of Contents

• What Is ACRStealer, Exactly?
• This Sample: Hiding in Plain Sight
• How It Works (Without the Jargon)
• Who Should Care?
• The Real-World Cost
• What You Can Do Right Now
• The Bottom Line

Picture this: you're a freelance designer, and a client sends over what looks like a Google verification plugin. The file name even says "verificationgoogle." You double-click it without a second thought. Within sixty seconds — before you've even noticed anything wrong — your saved browser passwords, cryptocurrency wallets, and cloud storage credentials are being silently packaged up and shipped to a stranger on the other side of the world.

That's ACRStealer. And it's getting better at slipping past the tools we trust to catch it.

What Is ACRStealer, Exactly?

ACRStealer is an information stealer — a type of malware whose entire job is to vacuum up your personal and financial data, then send it to attackers. Think of it like a digital pickpocket: it doesn't trash your computer or lock your files. It just quietly rifles through your pockets, grabs what's valuable, and disappears.

First spotted as a growing threat in early 2025, ACRStealer is sold as a service on underground forums. That means the person who built it isn't necessarily the person using it. Anyone willing to pay a subscription fee gets access to a slick dashboard and a ready-made stealing tool. This "malware-as-a-service" model is exactly why ACRStealer keeps showing up in new campaigns — there are many customers.

What makes the sample we're looking at today especially interesting is how sneaky it is.

This Sample: Hiding in Plain Sight

ThreatChain recently flagged a file called verificationgoogle.dll — a name carefully chosen to look like something legitimate from Google. Here are the details:

Detail	Value
File name	verificationgoogle.dll
Also seen as	WSCPlugin.dll, verification.google, yee85erl.exe
Type	Windows 64-bit DLL (a shared code library that other programs can load)
Size	~3.4 MB
First seen	April 7, 2026
SHA-256	de5691a05fff72c33b1a67cab94f0ce24a712fdf46e71d2cbd47bc76b634f54d
Detection rate	15 out of 75 antivirus engines flagged it

That last number is the headline: only 20% of antivirus scanners caught it. Several well-known security tools — including at least one sandbox environment — initially returned a verdict of "clean" or "no threats detected." The malware was specifically designed to dodge automated analysis.

How It Works (Without the Jargon)

Let's walk through what this file actually does, step by step.

1. The Disguise

The file pretends to be a DLL — a type of Windows helper file that legitimate programs load all the time. By naming itself after Google verification or a "WSC Plugin" (WSC stands for Windows Security Center), it's betting that neither you nor your security tools will look twice. It's like a burglar wearing a FedEx uniform: people hold the door open for them.

2. Anti-Analysis Tricks

This sample is packed with techniques to detect when it's being watched. Security researchers often run suspicious files inside a "sandbox" — a virtual padded room where malware can't do real damage. This ACRStealer variant checks whether a debugger is attached (a debugger is a tool researchers use to step through code line by line). If it senses it's being analyzed, it behaves itself. It only goes to work when it believes it's running on a real victim's machine.

Think of it like a con artist who acts perfectly normal whenever a police officer is watching but goes back to pickpocketing the moment the cop turns the corner.

3. Written in Go

Here's a technical wrinkle that matters: this sample is written in Go (also called Golang), a programming language created by Google. Most Windows malware is written in C or C++. Go is unusual — and that's exactly the point. Security tools that are excellent at analyzing C-based malware can struggle with Go binaries. The code structure looks different, the file is larger, and automated detection rules often don't apply cleanly.

It's an increasingly popular trick. Attackers get a kind of camouflage just by choosing an unexpected programming language.

4. Phone Home

Once running, ACRStealer connects to a command-and-control server — the attacker's remote control panel. This is where it receives instructions and sends your stolen data. Some ACRStealer variants are known for a clever twist here: instead of hard-coding a server address (which defenders can block), they hide the real address inside posts on legitimate platforms like Google Docs or Steam community pages. This technique is called "dead drop resolving" — the malware visits a public webpage to pick up its instructions, like a spy checking a dead drop location in a park.

5. The Grab

Once active, ACRStealer typically goes after:

• Browser passwords and cookies (Chrome, Firefox, Edge — all of them)
• Cryptocurrency wallet files (Bitcoin, Ethereum, and dozens of others)
• FTP and email credentials (FileZilla, Outlook, Thunderbird)
• Two-factor authentication codes from desktop authenticator apps
• Files matching specific patterns — documents, text files, anything that might contain passwords or keys

Everything gets compressed, encrypted, and sent off. The whole process can take under a minute.

Who Should Care?

If you use a Windows computer and store passwords in your browser — which is most of us — you're a potential target. But some groups face outsized risk:

• Small businesses without dedicated IT security. A single employee opening this file could expose client data, financial accounts, and business credentials.
• Freelancers and remote workers who regularly receive files from clients and collaborators.
• Cryptocurrency holders. Stolen wallet keys mean stolen funds, and there's no bank to call for a reversal.
• Developers who might encounter this disguised as a plugin, SDK component, or verification file.

The Real-World Cost

Information stealers like ACRStealer don't just steal one password. They steal all of them — and then attackers sell that bundle on dark web marketplaces, often within hours. A single "log" (one victim's complete stolen data set) sells for anywhere from $5 to $50. Multiply that by thousands of infections, and you can see the business model.

But for the victim, the cost is far higher. Compromised bank accounts. Hijacked social media profiles. Business email accounts used to send fraudulent invoices to your own clients. The cleanup can take weeks. The reputational damage can last much longer.

What You Can Do Right Now

You don't need an enterprise security team to protect yourself. Here are five concrete steps:

1. Stop saving passwords in your browser. Use a dedicated password manager like Bitwarden or 1Password instead. If a stealer grabs your browser data, your password manager vault remains separate and encrypted.

2. Be suspicious of unexpected DLL and EXE files — especially ones with names designed to sound trustworthy like "verificationgoogle" or "WSCPlugin." If you didn't specifically go looking for it, don't run it.

3. Enable two-factor authentication everywhere, but prefer hardware keys (like YubiKey) or phone-based authentication apps over desktop-based ones. Stealers can grab codes from desktop authenticator apps.

4. Keep Windows and your antivirus updated. Yes, only 20% of scanners caught this sample initially — but that number improves quickly as detections are added. Being on the latest signatures matters.

5. If you run a small business, consider a DNS-level filter (like Cloudflare Gateway's free tier or Quad9). These can block connections to known malicious command-and-control servers, stopping the malware from phoning home even if it does get in.

The Bottom Line

ACRStealer isn't flashy. It doesn't splash a ransom note on your screen or make your computer unusable. That's what makes it dangerous — it steals everything quietly and moves on. The sample we examined today is particularly well-crafted: written in an unusual language, packed with anti-analysis tricks, and barely detected by most antivirus tools at the time it appeared.

The best defense isn't any single tool. It's a healthy dose of skepticism about unexpected files, good password hygiene, and keeping your systems updated. None of that costs a dime — and it makes you a much harder target.

---

Sample SHA-256: de5691a05fff72c33b1a67cab94f0ce24a712fdf46e71d2cbd47bc76b634f54d Family: ACRStealer | First seen: April 7, 2026 | Origin: US VirusTotal detection: 15/75 | Threat label: trojan.midie

If you encounter this file or similar ones, report them to your IT team or upload them to VirusTotal for analysis.