ACR Stealer Campaigns Use ClickFix Lures, WebDAV, and Steganography for Credential Theft
Microsoft Defender Experts observed increased ACR Stealer activity from late April to mid-June 2026, using ClickFix social engineering lures in two distinct campaigns to steal browser credentials, authentication tokens, and sensitive documents from enterprise environments via WebDAV-based Python loaders or MSHTA-initiated PowerShell with steganography.
From late April to mid-June 2026, Microsoft Defender Experts identified a surge in ACR Stealer activity impacting customer environments. ACR Stealer, an information-stealing malware offered via a malware-as-a-service (MaaS) model and reportedly a rebrand of Amatera Stealer, employs "ClickFix" social engineering lures to trick users into executing malicious commands. Two primary campaigns were observed: one utilizing WebDAV-delivered payloads, staged PowerShell, Python-based loaders, and blockchain-backed command-and-control (C2); the other adopting a fileless approach with MSHTA, obfuscated PowerShell, and steganography for in-memory execution. Both campaigns share the common objective of stealing browser credentials, session tokens, authentication artifacts, and sensitive enterprise documents. Successful compromise can lead to account takeover, unauthorized access to cloud resources, and subsequent intrusion activities.
Attack Chain
- Initial Access via ClickFix Lure: Users are tricked by social engineering (e.g., malvertising, SEO poisoning) through a "ClickFix" prompt to execute a threat actor-provided command.
- Remote DLL Execution via
cmd.exeandrundll32.exe: The user-executed command initiatescmd.exe, which then callsrundll32.exeto load and execute a malicious DLL directly from a remote WebDAV share over HTTPS. Attackers may usepushdto map the remote share locally andconhost.exe -headlessfor stealth. - Staged PowerShell Loader Execution: The loaded DLL communicates with C2 infrastructure and executes a heavily obfuscated PowerShell script, which employs arithmetic no-ops, dead loops, and randomized variable names for evasion.
- Payload Download and Staging: The PowerShell script downloads a ZIP-packaged payload from a remote server, extracting it into a deceptive directory (e.g.,
LogiOptionsPlus) under%LocalAppData%\Temp. - Python-based Loader Launch: A bundled
pythonw.exeinstance is used to launch a Python script from the extracted payload, thereby avoiding console window display. - Persistence Establishment: A hidden scheduled task, disguised as a legitimate software update, is created to ensure the malware's execution at user sign-in.
- Defense Evasion: The malware copies timestamps from a legitimate Windows binary (
notepad.exe) to its deployed files and clears PowerShell command history to hinder forensic analysis. - Information Theft and Exfiltration: The Python-based loader collects browser-stored credentials, authentication tokens, and sensitive documents, which are then prepared for exfiltration, potentially to blockchain C2 infrastructure.
Impact
Successful ACR Stealer infections lead to significant data breaches within targeted enterprises. Victims face the exposure of browser credentials, session tokens, authentication artifacts, and other sensitive documents, which can be leveraged for account compromise, unauthorized access to cloud resources, and further intrusive activities within the network. The scope of targeting is broad, impacting various enterprise customer environments observed by Microsoft Defender Experts. The theft of such critical data facilitates lateral movement and potentially expands the attacker's foothold, leading to more severe and widespread compromises.
Recommendation
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious
rundll32.exeandpythonw.exeactivity. - Enable Sysmon process creation logging to capture
cmd.exe,rundll32.exe, andpythonw.exeexecutions for analysis. - Monitor for
rundll32.exeprocesses executing DLLs directly from remote network shares, especially WebDAV shares, as identified inDetect ACR Stealer Rundll32 WebDAV Payload Execution. - Monitor for
pythonw.exeprocesses launching from temporary user application data directories (e.g.,%LocalAppData%\Temp\) when the parent process is suspicious, as described inDetect ACR Stealer Python Loader from Temp Directory. - Implement robust endpoint detection and response (EDR) solutions, such as Microsoft Defender for Endpoint, to detect living-off-the-land binaries, obfuscated PowerShell, and scheduled task persistence.
- Educate users on "ClickFix" and other social engineering lures to prevent initial execution of malicious commands.
Detection coverage 2
Detect ACR Stealer Rundll32 WebDAV Payload Execution
highDetects rundll32.exe loading a DLL directly from a remote WebDAV share over HTTPS, a common initial execution method for ACR Stealer.
Detect ACR Stealer Python Loader from Temp Directory
mediumDetects suspicious execution of pythonw.exe from the user's Local AppData temporary directory, a common stage for ACR Stealer's Python-based loader.
Detection queries are available on the platform. Get full rules →