Microsoft reported a rise in ACR Stealer intrusions across customer environments, tracing two prominent infection chains that relied on ClickFix social engineering to trick users into launching malicious commands. In one chain, attackers delivered DLLs over WebDAV, then used obfuscated PowerShell, Python-based loaders, and scheduled tasks for persistence; some infections also resolved command-and-control infrastructure through blockchain-based dead-drop techniques such as EtherHiding. A second chain used mshta.exe, VBScript, and obfuscated PowerShell before retrieving payloads hidden inside a hosted JPEG and executing them filelessly in memory.
The campaigns were designed to steal browser credentials, cookies, authentication tokens, and sensitive enterprise documents, including PDFs and Microsoft 365-related files. Microsoft said the malware abuses DPAPI to decrypt browser data and stages the collected information for exfiltration. The company published indicators of compromise, MITRE ATT&CK mappings, hunting queries, and mitigation guidance focused on detecting ClickFix lures, suspicious WebDAV or MSHTA activity, obfuscated PowerShell, persistence mechanisms, and browser credential theft.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft documented two prominent ACR Stealer delivery chains during the observed activity window: one using WebDAV-delivered DLLs, staged PowerShell, Python loaders, and scheduled-task persistence, and another using MSHTA, VBScript, obfuscated PowerShell, steganography, and fileless in-memory execution. In some cases, the first chain also used blockchain-based dead-drop command-and-control resolution.
Microsoft said it observed increased ACR Stealer activity across customer environments from late April 2026 to mid-June 2026. The activity involved ClickFix social engineering and credential- and document-theft objectives.
On July 16, 2026, Microsoft published analysis of the ACR Stealer campaigns along with indicators of compromise, MITRE ATT&CK mappings, hunting queries, and mitigation recommendations. The guidance focused on detecting ClickFix lures, suspicious WebDAV or MSHTA activity, obfuscated PowerShell, persistence, and browser credential theft.
On May 26, 2026, Red Canary reported that ACR Stealer had newly entered its top 10 threats because it was being delivered in ClearFake campaigns using fake CAPTCHA and paste-and-run social engineering. The report also noted delivery via fake Claude Code GitLab pages and a Go-based reflective loader that sideloaded a malicious DLL through rundll32.exe from a remote network share.
On June 13, 2025, Proofpoint reported that Amatera Stealer was a rebranded and significantly updated successor to ACR Stealer, sold as a malware-as-a-service offering and actively developed in 2025. The company also described improved evasion and command-and-control changes, including NTSockets-based HTTP communications, WoW64 syscall-based execution, and a shift toward direct hardcoded C2 infrastructure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcethehackernews.com
Open sourcetrojan-killer.net
Open sourcemalware.news
Open sourcemicrosoft.com
Open sourceredcanary.com
Open sourceproofpoint.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.