{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/acr-stealer/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["ACR Stealer"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["infostealer","malware-as-a-service","social-engineering","webdav","powershell","steganography","credential-theft","data-exfiltration"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eFrom late April to mid-June 2026, Microsoft Defender Experts identified a surge in ACR Stealer activity impacting customer environments. ACR Stealer, an information-stealing malware offered via a malware-as-a-service (MaaS) model and reportedly a rebrand of Amatera Stealer, employs \u0026quot;ClickFix\u0026quot; social engineering lures to trick users into executing malicious commands. Two primary campaigns were observed: one utilizing WebDAV-delivered payloads, staged PowerShell, Python-based loaders, and blockchain-backed command-and-control (C2); the other adopting a fileless approach with MSHTA, obfuscated PowerShell, and steganography for in-memory execution. Both campaigns share the common objective of stealing browser credentials, session tokens, authentication artifacts, and sensitive enterprise documents. Successful compromise can lead to account takeover, unauthorized access to cloud resources, and subsequent intrusion activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access via ClickFix Lure\u003c/strong\u003e: Users are tricked by social engineering (e.g., malvertising, SEO poisoning) through a \u0026quot;ClickFix\u0026quot; prompt to execute a threat actor-provided command.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote DLL Execution via \u003ccode\u003ecmd.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e\u003c/strong\u003e: The user-executed command initiates \u003ccode\u003ecmd.exe\u003c/code\u003e, which then calls \u003ccode\u003erundll32.exe\u003c/code\u003e to load and execute a malicious DLL directly from a remote WebDAV share over HTTPS. Attackers may use \u003ccode\u003epushd\u003c/code\u003e to map the remote share locally and \u003ccode\u003econhost.exe -headless\u003c/code\u003e for stealth.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaged PowerShell Loader Execution\u003c/strong\u003e: The loaded DLL communicates with C2 infrastructure and executes a heavily obfuscated PowerShell script, which employs arithmetic no-ops, dead loops, and randomized variable names for evasion.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Download and Staging\u003c/strong\u003e: The PowerShell script downloads a ZIP-packaged payload from a remote server, extracting it into a deceptive directory (e.g., \u003ccode\u003eLogiOptionsPlus\u003c/code\u003e) under \u003ccode\u003e%LocalAppData%\\Temp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePython-based Loader Launch\u003c/strong\u003e: A bundled \u003ccode\u003epythonw.exe\u003c/code\u003e instance is used to launch a Python script from the extracted payload, thereby avoiding console window display.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Establishment\u003c/strong\u003e: A hidden scheduled task, disguised as a legitimate software update, is created to ensure the malware's execution at user sign-in.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion\u003c/strong\u003e: The malware copies timestamps from a legitimate Windows binary (\u003ccode\u003enotepad.exe\u003c/code\u003e) to its deployed files and clears PowerShell command history to hinder forensic analysis.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Theft and Exfiltration\u003c/strong\u003e: The Python-based loader collects browser-stored credentials, authentication tokens, and sensitive documents, which are then prepared for exfiltration, potentially to blockchain C2 infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful ACR Stealer infections lead to significant data breaches within targeted enterprises. Victims face the exposure of browser credentials, session tokens, authentication artifacts, and other sensitive documents, which can be leveraged for account compromise, unauthorized access to cloud resources, and further intrusive activities within the network. The scope of targeting is broad, impacting various enterprise customer environments observed by Microsoft Defender Experts. The theft of such critical data facilitates lateral movement and potentially expands the attacker's foothold, leading to more severe and widespread compromises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious \u003ccode\u003erundll32.exe\u003c/code\u003e and \u003ccode\u003epythonw.exe\u003c/code\u003e activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, and \u003ccode\u003epythonw.exe\u003c/code\u003e executions for analysis.\u003c/li\u003e\n\u003cli\u003eMonitor for \u003ccode\u003erundll32.exe\u003c/code\u003e processes executing DLLs directly from remote network shares, especially WebDAV shares, as identified in \u003ccode\u003eDetect ACR Stealer Rundll32 WebDAV Payload Execution\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor for \u003ccode\u003epythonw.exe\u003c/code\u003e processes launching from temporary user application data directories (e.g., \u003ccode\u003e%LocalAppData%\\Temp\\\u003c/code\u003e) when the parent process is suspicious, as described in \u003ccode\u003eDetect ACR Stealer Python Loader from Temp Directory\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement robust endpoint detection and response (EDR) solutions, such as Microsoft Defender for Endpoint, to detect living-off-the-land binaries, obfuscated PowerShell, and scheduled task persistence.\u003c/li\u003e\n\u003cli\u003eEducate users on \u0026quot;ClickFix\u0026quot; and other social engineering lures to prevent initial execution of malicious commands.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T23:26:05Z","date_published":"2026-07-16T23:26:05Z","id":"https://feed.craftedsignal.io/briefs/2026-07-acr-stealer-campaigns/","summary":"Microsoft Defender Experts observed increased ACR Stealer activity from late April to mid-June 2026, using ClickFix social engineering lures in two distinct campaigns to steal browser credentials, authentication tokens, and sensitive documents from enterprise environments via WebDAV-based Python loaders or MSHTA-initiated PowerShell with steganography.","title":"ACR Stealer Campaigns Use ClickFix Lures, WebDAV, and Steganography for Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-07-acr-stealer-campaigns/"}],"language":"en","title":"CraftedSignal Threat Feed - ACR Stealer","version":"https://jsonfeed.org/version/1.1"}