<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ACR Stealer - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/actors/acr-stealer/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 23:26:05 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/actors/acr-stealer/feed.xml" rel="self" type="application/rss+xml"/><item><title>ACR Stealer Campaigns Use ClickFix Lures, WebDAV, and Steganography for Credential Theft</title><link>https://feed.craftedsignal.io/briefs/2026-07-acr-stealer-campaigns/</link><pubDate>Thu, 16 Jul 2026 23:26:05 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-acr-stealer-campaigns/</guid><description>Microsoft Defender Experts observed increased ACR Stealer activity from late April to mid-June 2026, using ClickFix social engineering lures in two distinct campaigns to steal browser credentials, authentication tokens, and sensitive documents from enterprise environments via WebDAV-based Python loaders or MSHTA-initiated PowerShell with steganography.</description><content:encoded><![CDATA[<p>From late April to mid-June 2026, Microsoft Defender Experts identified a surge in ACR Stealer activity impacting customer environments. ACR Stealer, an information-stealing malware offered via a malware-as-a-service (MaaS) model and reportedly a rebrand of Amatera Stealer, employs &quot;ClickFix&quot; social engineering lures to trick users into executing malicious commands. Two primary campaigns were observed: one utilizing WebDAV-delivered payloads, staged PowerShell, Python-based loaders, and blockchain-backed command-and-control (C2); the other adopting a fileless approach with MSHTA, obfuscated PowerShell, and steganography for in-memory execution. Both campaigns share the common objective of stealing browser credentials, session tokens, authentication artifacts, and sensitive enterprise documents. Successful compromise can lead to account takeover, unauthorized access to cloud resources, and subsequent intrusion activities.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access via ClickFix Lure</strong>: Users are tricked by social engineering (e.g., malvertising, SEO poisoning) through a &quot;ClickFix&quot; prompt to execute a threat actor-provided command.</li>
<li><strong>Remote DLL Execution via <code>cmd.exe</code> and <code>rundll32.exe</code></strong>: The user-executed command initiates <code>cmd.exe</code>, which then calls <code>rundll32.exe</code> to load and execute a malicious DLL directly from a remote WebDAV share over HTTPS. Attackers may use <code>pushd</code> to map the remote share locally and <code>conhost.exe -headless</code> for stealth.</li>
<li><strong>Staged PowerShell Loader Execution</strong>: The loaded DLL communicates with C2 infrastructure and executes a heavily obfuscated PowerShell script, which employs arithmetic no-ops, dead loops, and randomized variable names for evasion.</li>
<li><strong>Payload Download and Staging</strong>: The PowerShell script downloads a ZIP-packaged payload from a remote server, extracting it into a deceptive directory (e.g., <code>LogiOptionsPlus</code>) under <code>%LocalAppData%\Temp</code>.</li>
<li><strong>Python-based Loader Launch</strong>: A bundled <code>pythonw.exe</code> instance is used to launch a Python script from the extracted payload, thereby avoiding console window display.</li>
<li><strong>Persistence Establishment</strong>: A hidden scheduled task, disguised as a legitimate software update, is created to ensure the malware's execution at user sign-in.</li>
<li><strong>Defense Evasion</strong>: The malware copies timestamps from a legitimate Windows binary (<code>notepad.exe</code>) to its deployed files and clears PowerShell command history to hinder forensic analysis.</li>
<li><strong>Information Theft and Exfiltration</strong>: The Python-based loader collects browser-stored credentials, authentication tokens, and sensitive documents, which are then prepared for exfiltration, potentially to blockchain C2 infrastructure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful ACR Stealer infections lead to significant data breaches within targeted enterprises. Victims face the exposure of browser credentials, session tokens, authentication artifacts, and other sensitive documents, which can be leveraged for account compromise, unauthorized access to cloud resources, and further intrusive activities within the network. The scope of targeting is broad, impacting various enterprise customer environments observed by Microsoft Defender Experts. The theft of such critical data facilitates lateral movement and potentially expands the attacker's foothold, leading to more severe and widespread compromises.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious <code>rundll32.exe</code> and <code>pythonw.exe</code> activity.</li>
<li>Enable Sysmon process creation logging to capture <code>cmd.exe</code>, <code>rundll32.exe</code>, and <code>pythonw.exe</code> executions for analysis.</li>
<li>Monitor for <code>rundll32.exe</code> processes executing DLLs directly from remote network shares, especially WebDAV shares, as identified in <code>Detect ACR Stealer Rundll32 WebDAV Payload Execution</code>.</li>
<li>Monitor for <code>pythonw.exe</code> processes launching from temporary user application data directories (e.g., <code>%LocalAppData%\Temp\</code>) when the parent process is suspicious, as described in <code>Detect ACR Stealer Python Loader from Temp Directory</code>.</li>
<li>Implement robust endpoint detection and response (EDR) solutions, such as Microsoft Defender for Endpoint, to detect living-off-the-land binaries, obfuscated PowerShell, and scheduled task persistence.</li>
<li>Educate users on &quot;ClickFix&quot; and other social engineering lures to prevent initial execution of malicious commands.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>infostealer</category><category>malware-as-a-service</category><category>social-engineering</category><category>webdav</category><category>powershell</category><category>steganography</category><category>credential-theft</category><category>data-exfiltration</category></item></channel></rss>