ACR Stealer: Two observed intrusion chains amid increased threat activity
Essential information
- Published
- 17/07/2026 03:19
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- acr stealer amatera stealer blockchain c2 clickfix steganography webdav
- Related entities
- 16 indicators, 16 observables, 18 techniques (mitre), 2 malware
Description
Between late April and mid-June 2026, Microsoft observed heightened ACR Stealer activity targeting enterprise environments through ClickFix social engineering lures. This information-stealing malware, associated with Amatera Stealer rebranding and offered as malware-as-a-service, deployed through two distinct campaigns. The first utilized WebDAV-delivered payloads with Python loaders and blockchain-based command-and-control resolution. The second employed a fileless approach using MSHTA and steganography-concealed payloads within images. Both campaigns harvested browser credentials, authentication tokens, and sensitive documents from compromised systems. Threat actors leveraged obfuscated PowerShell scripts, scheduled task persistence, and in-memory execution techniques to evade detection. Notable tactics included masquerading as legitimate software updates, utilizing Windows DPAPI for credential decryption, and targeting PDF and Microsoft 365 documents. The blockchain dead-drop technique enabled dynamic i...