216.73.216.86

ACR Stealer: Two observed intrusion chains amid increased threat activity

· Published 17/07/2026 03:19

Export JSON

Essential information

Published
17/07/2026 03:19
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
acr stealer amatera stealer blockchain c2 clickfix steganography webdav
Related entities
16 indicators, 16 observables, 18 techniques (mitre), 2 malware

Description

Between late April and mid-June 2026, Microsoft observed heightened activity targeting enterprise environments through social engineering lures. This information-stealing malware, associated with rebranding and offered as malware-as-a-service, deployed through two distinct campaigns. The first utilized -delivered payloads with Python loaders and blockchain-based command-and-control resolution. The second employed a fileless approach using MSHTA and -concealed payloads within images. Both campaigns harvested browser credentials, authentication tokens, and sensitive documents from compromised systems. Threat actors leveraged obfuscated PowerShell scripts, scheduled task persistence, and in-memory execution techniques to evade detection. Notable tactics included masquerading as legitimate software updates, utilizing Windows DPAPI for credential decryption, and targeting PDF and Microsoft 365 documents. The blockchain dead-drop technique enabled dynamic i...

External references