ACR Stealer
ACR Stealer is a malware-as-a-service (MaaS) information stealer written in C++ and active since 2024. It is described as a credential and data theft infostealer and has been linked to the SideCopy threat group. Reported theft capabilities include browser credentials, passwords, cookies, session tokens, sensitive files, system information, clipboard contents, installed antivirus details, and cryptocurrency wallet data. MS-ISAC reporting states it uses HTTP and TCP for command-and-control and can establish persistence via AutoRun registry keys or the Startup folder, depending on the host environment.
The malware has been observed as a final payload in multiple delivery chains and campaigns. Recent reporting ties it to ClearFake drive-by and fake CAPTCHA/paste-and-run campaigns, fake Claude/Claude Code installation pages promoted through Google Ads malvertising, cracked software and pirated game distribution chains, and RenEngine/HijackLoader-based infections delivered through trojanized Ren'Py launchers. It has also been referenced as a payload delivered through crypters and loaders including Hijack Loader and RenEngine Loader. One analyzed fake Claude infection chain involved fairpoint29.com, primemetricsa.com, a creativecommunityinfo.art subdomain, and post-infection traffic assessed as ACR Stealer-related.
The malware is also associated with the ACR Stealer-based Amatera MaaS platform, which is described as being based on ACR Stealer and sold as a subscription service. Reporting further notes ACR Stealer-related naming in darknet marketplace activity, including payload names such as acr-arab, acr-karma, and acr-xyphos, matching a product sold by SheldIO on the RAMP forum.
Observed targeting and victimology in related campaigns include broad opportunistic infections affecting Windows users, including users seeking pirated games, cracked applications, and fake software installers. Reported geographic impact in associated campaigns includes India, the United States, Brazil, Russia, Spain, Turkey, and Germany. High-confidence indicators directly mentioned in the content include SHA256 70b5ecc110e074dbca92932c0e840ea3492ea0a43c3f215b71392c12b02213b2, a14c3ecf5eb3d2543358482e43dc765dbf9ee7a4bec7571f5ecb8829ca719692, and 47fa746422f1bf6b7712dc6803378e6a995488007193a7441d790f70d204728f; domains and URLs fairpoint29.com, primemetricsa.com/1518925, 6ryuefl.creativecommunityinfo.art, and i.ibb.co/Xx16sbMz/init-block.jpg; and the detection name Trojan-PSW.Win32.ACRstealer.gen.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ACR Stealer, a malware-as-a-service (MaaS) information stealer written in C++ that has been active since 2024, makes its debut in a tie for 6th thanks to its use as a payload in recent ClearFake campaigns.
The top buyer @dearswa placed 24 orders for payloads named acr-arab , acr-karma , and acr-xyphos . The acr-* naming convention directly matches ACR Stealer , a Malware-as-a-Service product sold by SheldIO on the RAMP darknet forum.
ACR Stealer is a credential and data theft infostealer written in C++ and used by the SideCopy threat group.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueI've reliably found these sites through malicious ads in Google searches that lead to these pages, often concealed in URLs for sites.google[.]com
Initial Access
2 techniquesClearFake is an activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques
"malware distribution under the guise of game cheats and pirated software... distributing pirated games infected with... RenEngine, which was delivered... using a modified version of a Ren’Py engine-based game launcher."
Execution
2 techniquesFollow-up download, PowerShell script: SHA256 hash: a14c3ecf5eb3d2543358482e43dc765dbf9ee7a4bec7571f5ecb8829ca719692
often using fake CAPTCHA lures to trick users into executing code via malicious copy and paste (paste and run, ClickFix, fakeCAPTCHA)
Privilege Escalation
1 techniqueStealth
2 techniquesWeb page impersonating Claude with a button to "Download for Windows."
Credential Access
2 techniques"LTX Stealer... conducts large-scale credential harvesting from Chromium-based browsers, targets cryptocurrency-related artifacts..."; "Marco Stealer... targets browser data, cryptocurrency wallet information..."
MITRE ATT&CK: T1555.003 -- Credentials from Password Stores: Web Browsers ... The embedded Payload.exe is a native C++ x64 credential stealer targeting: Google Chrome ... Microsoft Edge ... Brave Browser
Discovery
1 techniqueCollection
1 techniqueCommand and Control
1 techniqueBased on the C2 domain for post-infection traffic, this appears to be an infection for ACR Stealer... Domain for post-infection HTTPS traffic to C2 server
Exfiltration
1 technique"...facilitates the exfiltration of browser credentials and cookies, system details and clipboard contents, and cryptocurrency wallet information..."
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Information-stealing malware identified from post-infection C2 traffic associated with a fake Claude download page delivering Windows malware.
A malware-as-a-service information stealer written in C++ and active since 2024; observed as a payload in recent ClearFake campaigns.
Stealer family referenced as the codebase/basis for the Amatera MaaS infostealer.
Referenced as the apparent codebase Amatera Stealer is believed to be derived from; described as a stealer offered to criminals via a subscription/MaaS model.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.