VYPR
researchPublished Jul 18, 2026· 1 source

Microsoft Warns of Surge in ACR Stealer Attacks Targeting Enterprise Customers

Microsoft has observed a significant increase in attacks using the ACR Stealer malware, which targets enterprise customers to exfiltrate sensitive data like passwords and documents.

Microsoft has alerted its enterprise customers to a notable surge in attacks employing the ACR Stealer malware, an information-stealing tool designed to pilfer browser-stored passwords, authentication tokens, and sensitive documents. The observed campaign activity, spanning from late April to mid-June, utilized social engineering tactics, WebDAV servers, and the MSHTA utility for malware delivery.

ACR Stealer is understood to be a rebranding of the Amatera Stealer malware, operating as a malware-as-a-service (MaaS). Microsoft has identified two primary intrusion chains that have been most prevalent in these attacks. The first chain begins with a "ClickFix" lure, which prompts the execution of a malicious DLL from a remote WebDAV share via rundll32.exe. Threat actors commonly leverage WebDAV for malware distribution, a tactic previously seen with malware like Bumblebee and Voldemort. To evade detection, attackers often employ GUID-based directory structures and filenames within the WebDAV path, mimicking legitimate resources to blend in with normal network traffic.

Following successful communication with command-and-control (C2) infrastructure, a heavily obfuscated PowerShell script is executed. This script initiates the installation of a malware installer and establishes persistence on the compromised system. The routine involves deploying a bundled Python loader, creating a scheduled task disguised as a software update, manipulating file timestamps, clearing PowerShell history, and injecting the final payload into a legitimate system process for in-memory execution. Some variants of ACR Stealer have been observed using public blockchain services as dead-drop resolvers, a technique known as "EtherHiding," to obtain updated payload locations or C2 addresses.

The second prominent delivery chain also starts with a ClickFix lure, but it leverages MSHTA to retrieve malicious content from an attacker-controlled server. This content then executes an obfuscated PowerShell downloader. Subsequently, the malware extracts an encrypted payload concealed within a steganographic JPEG image hosted publicly. This payload is then executed directly in memory, bypassing traditional file-based detection mechanisms.

Regardless of the delivery method, the core objective of ACR Stealer remains consistent: the theft of sensitive data. This includes passwords, cookies, session data, and authentication tokens stored within web browsers. The malware is capable of decrypting browser data using the Windows Data Protection API (DPAPI) and targets Chromium-based browsers like Chrome and Edge. It also actively searches for PDF and Microsoft 365 documents, collects files from user Desktop and Downloads folders, and targets enterprise-synchronized OneDrive and SharePoint directories.

Microsoft emphasizes that these two observed campaigns represent only a portion of the ACR Stealer threat landscape, and additional delivery methods are likely in use. To mitigate the risk of ClickFix-based attacks, users are advised to exercise extreme caution when copying and executing commands from untrusted sources, particularly those claiming to resolve errors or verify human status. Organizations are encouraged to implement stricter filtering for web-based delivery chains, block low-reputation or newly registered domains, and restrict access to non-essential online resources.

Further defense recommendations from Microsoft include enforcing application control rules to restrict the execution of content from remote resources via tools like PowerShell, Python, mshta.exe, or rundll32.exe, especially from user-writable directories. The company has also provided a comprehensive list of indicators of compromise (IOCs) specific to the observed ACR Stealer activity to aid security teams in detection and response efforts.

Synthesized by Vypr AI