Skip to content
Threat Feed
high threat

ACR Stealer Campaigns Use ClickFix Lures, WebDAV, and Steganography for Credential Theft

Microsoft Defender Experts observed increased ACR Stealer activity from late April to mid-June 2026, using ClickFix social engineering lures in two distinct campaigns to steal browser credentials, authentication tokens, and sensitive documents from enterprise environments via WebDAV-based Python loaders or MSHTA-initiated PowerShell with steganography.

From late April to mid-June 2026, Microsoft Defender Experts identified a surge in ACR Stealer activity impacting customer environments. ACR Stealer, an information-stealing malware offered via a malware-as-a-service (MaaS) model and reportedly a rebrand of Amatera Stealer, employs "ClickFix" social engineering lures to trick users into executing malicious commands. Two primary campaigns were observed: one utilizing WebDAV-delivered payloads, staged PowerShell, Python-based loaders, and blockchain-backed command-and-control (C2); the other adopting a fileless approach with MSHTA, obfuscated PowerShell, and steganography for in-memory execution. Both campaigns share the common objective of stealing browser credentials, session tokens, authentication artifacts, and sensitive enterprise documents. Successful compromise can lead to account takeover, unauthorized access to cloud resources, and subsequent intrusion activities.

Attack Chain

  1. Initial Access via ClickFix Lure: Users are tricked by social engineering (e.g., malvertising, SEO poisoning) through a "ClickFix" prompt to execute a threat actor-provided command.
  2. Remote DLL Execution via cmd.exe and rundll32.exe: The user-executed command initiates cmd.exe, which then calls rundll32.exe to load and execute a malicious DLL directly from a remote WebDAV share over HTTPS. Attackers may use pushd to map the remote share locally and conhost.exe -headless for stealth.
  3. Staged PowerShell Loader Execution: The loaded DLL communicates with C2 infrastructure and executes a heavily obfuscated PowerShell script, which employs arithmetic no-ops, dead loops, and randomized variable names for evasion.
  4. Payload Download and Staging: The PowerShell script downloads a ZIP-packaged payload from a remote server, extracting it into a deceptive directory (e.g., LogiOptionsPlus) under %LocalAppData%\Temp.
  5. Python-based Loader Launch: A bundled pythonw.exe instance is used to launch a Python script from the extracted payload, thereby avoiding console window display.
  6. Persistence Establishment: A hidden scheduled task, disguised as a legitimate software update, is created to ensure the malware's execution at user sign-in.
  7. Defense Evasion: The malware copies timestamps from a legitimate Windows binary (notepad.exe) to its deployed files and clears PowerShell command history to hinder forensic analysis.
  8. Information Theft and Exfiltration: The Python-based loader collects browser-stored credentials, authentication tokens, and sensitive documents, which are then prepared for exfiltration, potentially to blockchain C2 infrastructure.

Impact

Successful ACR Stealer infections lead to significant data breaches within targeted enterprises. Victims face the exposure of browser credentials, session tokens, authentication artifacts, and other sensitive documents, which can be leveraged for account compromise, unauthorized access to cloud resources, and further intrusive activities within the network. The scope of targeting is broad, impacting various enterprise customer environments observed by Microsoft Defender Experts. The theft of such critical data facilitates lateral movement and potentially expands the attacker's foothold, leading to more severe and widespread compromises.

Recommendation

  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious rundll32.exe and pythonw.exe activity.
  • Enable Sysmon process creation logging to capture cmd.exe, rundll32.exe, and pythonw.exe executions for analysis.
  • Monitor for rundll32.exe processes executing DLLs directly from remote network shares, especially WebDAV shares, as identified in Detect ACR Stealer Rundll32 WebDAV Payload Execution.
  • Monitor for pythonw.exe processes launching from temporary user application data directories (e.g., %LocalAppData%\Temp\) when the parent process is suspicious, as described in Detect ACR Stealer Python Loader from Temp Directory.
  • Implement robust endpoint detection and response (EDR) solutions, such as Microsoft Defender for Endpoint, to detect living-off-the-land binaries, obfuscated PowerShell, and scheduled task persistence.
  • Educate users on "ClickFix" and other social engineering lures to prevent initial execution of malicious commands.

Detection coverage 2

Detect ACR Stealer Rundll32 WebDAV Payload Execution

high

Detects rundll32.exe loading a DLL directly from a remote WebDAV share over HTTPS, a common initial execution method for ACR Stealer.

sigma tactics: defense_evasion, execution techniques: T1218.011 sources: process_creation, windows

Detect ACR Stealer Python Loader from Temp Directory

medium

Detects suspicious execution of pythonw.exe from the user's Local AppData temporary directory, a common stage for ACR Stealer's Python-based loader.

sigma tactics: defense_evasion, execution techniques: T1059.006, T1564.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →