• 3 min read
Microsoft spots spike in ACR Stealer attacks
Microsoft says ACR Stealer attacks surged between late April and mid-June, using ClickFix, WebDAV, and MSHTA to steal browser and document data.

Image: BleepingComputer
Microsoft says it has seen a surge in ACR Stealer attacks targeting its enterprise customers, with activity observed between late April and mid-June. The malware is being used to steal browser-stored passwords, authentication tokens, and sensitive documents.
According to Microsoft, the threat actor relied on the ClickFix social-engineering technique, WebDAV servers, and the MSHTA utility to deliver the payload. The company says ACR Stealer is a malware-as-a-service operation believed to be a rebrand of Amatera Stealer.
Microsoft highlighted two intrusion chains as the most common. In the first, a ClickFix lure runs a malicious DLL from a remote WebDAV share via rundll32.exe. Microsoft said the attacker typically uses a GUID-based directory structure and filenames in the WebDAV path that mimic legitimate resources, such as google.ct, to blend in with normal traffic.
Once connected to command-and-control infrastructure, a heavily obfuscated PowerShell script launches an installer and sets up persistence. The chain installs a bundled Python loader, creates a scheduled task disguised as a software update, manipulates timestamps, clears PowerShell history, and injects the final payload into a system process for in-memory execution. Some variants also use public blockchain services as dead-drop resolvers to fetch updated payload locations or C2 addresses, a method known as EtherHiding.
In the second chain, ClickFix is used to launch MSHTA, which pulls malicious content from the attacker’s server and runs an obfuscated PowerShell downloader. The malware then extracts an encrypted payload hidden inside a publicly hosted steganographic JPEG image and executes it directly in memory.

Recommended reading
Rostec unveils Spider anti-drone shield for fuel sites
The malware’s goals are straightforward. Microsoft says it can:
- Steal passwords, cookies, session data, and authentication tokens stored in browsers
- Decrypt browser data using the Windows Data Protection API (DPAPI)
- Access Chromium browser databases on Chrome and Edge
- Search for PDFs and Microsoft 365 documents
- Collect files from the Desktop and Downloads folders
- Target enterprise-synced OneDrive and SharePoint directories
All collected data is archived before being exfiltrated.
“These two campaigns represent some of the most prevalent ACR Stealer delivery campaigns observed by Defender Experts; however, they do not represent the full range of delivery methods used by this malware family.”
Microsoft said additional execution chains are likely. As a baseline defense against ClickFix attacks, it urged users not to copy and run commands in terminal tools, especially when prompts claim to fix an error or prove the user is human.
The company also recommends reducing exposure to web-based delivery chains by enforcing filters, blocking low-reputation or new domains, and limiting access to online resources that are not required for business operations. It added that application control rules can help block content launched from remote resources through tools such as PowerShell, Python, mshta.exe, and rundll32.exe, particularly from user-writeable paths.
Microsoft’s report includes a broader set of mitigations and indicators of compromise tied to the ACR Stealer activity it observed.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via BleepingComputer


