Security researchers have observed increased activity involving ACR Stealer, an information-stealing malware family associated with the Amatera Stealer ecosystem. The activity was particularly prevalent from late April through mid-June 2026 and has successfully compromised enterprise environments.
The campaigns use ClickFix social engineering, in which a malicious website, fake CAPTCHA, software prompt, or troubleshooting message instructs a user to copy and execute a command through the Windows Run dialog or another command interface.
No software vulnerability is required. The infection begins when the targeted user manually executes the attacker-provided command.
Once installed, ACR Stealer can collect saved browser usernames and passwords, browser cookies, active session tokens, authentication artifacts protected by Windows Data Protection API, Microsoft 365 documents, PDF files, files stored in OneDrive- and SharePoint-synchronized folders, and other potentially sensitive enterprise information.
The theft of active session tokens is particularly serious because it may allow an attacker to access an account without re-entering the password or completing multifactor authentication. Password changes alone may therefore be insufficient following a suspected compromise.
Two prominent intrusion chains have been identified. The first is a WebDAV-based chain that uses rundll32.exe, obfuscated PowerShell, Python loaders, scheduled-task persistence, and, in some cases, blockchain-based command-and-control resolution. The second is a predominantly fileless chain that uses mshta.exe, VBScript, obfuscated PowerShell, steganographic payload delivery through JPEG images, and in-memory execution.
Organizations should immediately hunt for the behaviors described in this advisory and strengthen controls around script interpreters, Windows living-off-the-land binaries, browser credential stores, WebDAV, and user-executed commands.
Business Risk
A successful ACR Stealer infection may result in the compromise of employee, administrator, and service accounts. It may also enable unauthorized access to Microsoft 365 and other cloud services, bypass multifactor authentication through stolen session tokens, and expose confidential documents and intellectual property.
Additional consequences may include business email compromise, fraudulent transactions, unauthorized data access, lateral movement into additional systems, and follow-on ransomware, extortion, or espionage activity. An infection may also create regulatory, contractual, and breach-notification obligations.
The risk is elevated when the affected user has privileged access, handles sensitive documents, or has active sessions to cloud administration portals.
Initial Access: ClickFix Social Engineering
Both observed campaigns begin with a ClickFix lure. Potential delivery mechanisms include malicious advertisements, search-engine optimization poisoning, compromised websites, fake CAPTCHA verification pages, fake browser or application error messages, impersonated artificial intelligence, productivity, or software-download websites, and instructions presented as required troubleshooting steps.
The page directs the user to copy a command, open the Windows Run dialog, paste the command, and press Enter.
Users may believe the command is required to verify that they are human, repair an application, install legitimate software, access content, or complete a security check.
A legitimate CAPTCHA or website verification process should not require a user to paste commands into Windows Run, Command Prompt, PowerShell, Terminal, or a browser developer console.
Observed Intrusion Chain 1: WebDAV and Python Loader
Initial Execution
The attacker-provided command launches cmd.exe and uses rundll32.exe to load a DLL from a remote WebDAV location over HTTPS.
Observed variations include the direct execution of rundll32.exe against a remote resource and the use of pushd to map a remote WebDAV share to a temporary drive. Other variations use conhost.exe --headless, delayed environment-variable expansion, and command obfuscation. Remote paths may contain GUID-style directory names, while retrieved files may use misleading names or unusual extensions, such as google.ct.
The use of pushd can make remotely hosted content appear to execute from a local drive path. Headless console execution further reduces visible indicators for the user.
PowerShell Installation Stage
After the remote DLL executes, it retrieves and launches heavily obfuscated PowerShell.
Observed obfuscation techniques include randomized variable names, arithmetic operations with no functional purpose, dead loops, fake control flow, encoded or dynamically reconstructed strings, and excessively long or fragmented command lines.
The PowerShell stage may download a ZIP archive containing the malware and extract its contents beneath %LocalAppData%\Temp. The extracted directory may resemble legitimate software, such as LogiOptionsPlus. The malware may then launch a Python script through a bundled copy of pythonw.exe.
The installer may remove previous versions of the malware, terminate active malware processes before reinstalling, and create a hidden scheduled task that resembles a legitimate software updater. It may also copy timestamps from notepad.exe or another trusted file and clear the PowerShell command history to reduce forensic visibility.
In-Memory Execution
The Python loader uses multiple layers of encoding, compression, string manipulation, and dynamic API resolution. The final payload is reconstructed only at runtime.
The loader may allocate memory through VirtualAlloc, copy shellcode into an executable memory region, and transfer execution through the Windows Fiber API. Functions associated with this activity include ConvertThreadToFiber, CreateFiber, and SwitchToFiber. The payload may also be injected into or executed inside another system process.
Blockchain-Based Command-and-Control Resolution
Some infections use public blockchain remote procedure call services or third-party Web3 infrastructure as a dead-drop resolver.
This technique, sometimes referred to as EtherHiding, allows the attacker to store or update a payload location or command-and-control address on a public blockchain. This can make infrastructure disruption more difficult because the malware does not rely solely on a conventional attacker-controlled domain.
Connections to blockchain or Web3 services are not automatically malicious. However, connections originating from pythonw.exe, PowerShell, mshta.exe, or an unusual child process should be investigated.
Observed Intrusion Chain 2: MSHTA and Steganographic Payload
Initial Execution
The ClickFix command launches mshta.exe and retrieves remote HTA content from attacker-controlled infrastructure.
The HTA contains VBScript that uses Component Object Model objects to decode and launch an encoded PowerShell stage.
PowerShell Execution
The PowerShell component may generate a victim-specific identifier, disable or bypass certificate validation, retrieve encrypted content, and execute the retrieved content directly in memory.
It may use randomized variables, dead loops, fake logic, and custom encryption routines to complicate analysis. The execution chain is also designed to avoid writing recognizable payloads to disk.
Payload Concealed in an Image
The malware retrieves a JPEG image from a public image-hosting service. Malicious data is encoded within the image pixels.
Custom routines extract the embedded data, decrypt it, decompress it, resolve the required Windows APIs, and execute the payload directly in memory.
APIs associated with this execution chain may include LoadLibrary, GetProcAddress, VirtualAlloc, CreateThread, and WaitForSingleObject.
A JPEG downloaded from a public image service should be considered suspicious when it is retrieved by PowerShell, mshta.exe, a scripting engine, or another non-browser process and is immediately followed by memory-allocation or code-execution behavior.
Credential and Document Theft
Following execution, ACR Stealer targets Chromium-based browsers, including Google Chrome and Microsoft Edge.
Targeted artifacts may include the Login Data and Web Data databases, browser cookie stores, saved passwords, authentication tokens, autofill information, active web-session cookies, browser encryption keys, and Windows DPAPI-protected data.
The malware also searches for high-value files, including PDF documents, Microsoft Word documents, Microsoft Excel workbooks, and Microsoft PowerPoint presentations. It may search the Desktop and Downloads directories, as well as files synchronized through OneDrive and SharePoint.
Collected data may be placed into an archive before exfiltration.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touch to find out how you can protect your organisation.
