ctipilot.ch

ACR Stealer

tool · tool:acr-stealer single-source

Malware-as-a-service infostealer that Microsoft reports is associated with the rebranding of Amatera Stealer; observed in two distinct ClickFix-rooted intrusion chains (WebDAV/rundll32/Python with an EtherHiding blockchain dead-drop, and a fileless MSHTA/steganography chain), both ending in DPAPI-based browser-credential theft and M365/OneDrive document enumeration (Microsoft Threat Intelligence, 2026-07-16).

Coverage timeline
4
first 2026-05-25 → last 2026-07-17
Peak priority
notable
4 notable
Sources cited
10
8 hosts
Sections touched
3
active-threats, research, weekly-multi-day
Co-occurring entities
3
see Related entities below
ATT&CK techniques
19
pinned v19.1 · see below
2026-05-254 appearances2026-07-17

ATT&CK techniques

19 techniques observed across 3 entries — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1566Phishing×1

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Evidence: 2026-05-26/acr-stealer-distributed-through-counterfeit-claude-ai-downlo · ATT&CK page ↗

T1566.002Phishing: Spearphishing Link×2

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Evidence: 2026-05-30/llmshare-malvertising-campaign-attackers-embed-fake-outage-p · 2026-05-26/acr-stealer-distributed-through-counterfeit-claude-ai-downlo · ATT&CK page ↗

Execution TA0002

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

T1059Command and Scripting Interpreter×1

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Evidence: 2026-05-26/acr-stealer-distributed-through-counterfeit-claude-ai-downlo · ATT&CK page ↗

T1059.001Command and Scripting Interpreter: PowerShell×2

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · 2026-05-26/acr-stealer-distributed-through-counterfeit-claude-ai-downlo · ATT&CK page ↗

T1059.006Command and Scripting Interpreter: Python×1

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

T1204.001User Execution: Malicious Link×1

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.

Evidence: 2026-05-30/llmshare-malvertising-campaign-attackers-embed-fake-outage-p · ATT&CK page ↗

T1204.004User Execution: Malicious Copy and Paste×1

An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is "ClickFix," in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

Persistence TA0003

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

Privilege Escalation TA0004

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

Stealth TA0005

T1027Obfuscated Files or Information×2

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · 2026-05-30/llmshare-malvertising-campaign-attackers-embed-fake-outage-p · ATT&CK page ↗

T1027.003Obfuscated Files or Information: Steganography×1

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

T1036Masquerading×2

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · 2026-05-30/llmshare-malvertising-campaign-attackers-embed-fake-outage-p · ATT&CK page ↗

T1070.003Indicator Removal: Clear Command History×1

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

T1218.005System Binary Proxy Execution: Mshta×1

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

T1218.011System Binary Proxy Execution: Rundll32×1

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

T1620Reflective Code Loading×1

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

Credential Access TA0006

T1555.003Credentials from Password Stores: Credentials from Web Browsers×1

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

Collection TA0009

T1005Data from Local System×1

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

T1074.001Data Staged: Local Data Staging×1

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

Command and Control TA0011

T1102.001Web Service: Dead Drop Resolver×1

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Evidence: 2026-07-17/microsoft-acr-stealer-two-clickfix-intrusion-chains · ATT&CK page ↗

Story timeline

  1. 2026-07-17Microsoft: two parallel ACR Stealer intrusion chains — WebDAV/rundll32/Python with blockchain dead-drop C2, and a fileless MSHTA/steganography chain — both rooted in ClickFix
    researchMicrosoft documents two ClickFix-rooted ACR Stealer chains: WebDAV+EtherHiding and fileless MSHTA+steganography, both ending in DPAPI browser-credential theft
  2. 2026-05-30LLMShare malvertising campaign: attackers embed fake outage pages in ChatGPT share links and serve infostealer downloads via Google Ads
    active-threats
  3. 2026-05-26ACR Stealer distributed through counterfeit Claude AI download pages promoted by malicious search ads
    active-threats
  4. 2026-05-25AI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole
    weekly-multi-day

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

successor of

Where this entity is cited

  • active-threats2
  • weekly-multi-day1
  • research1

Source distribution

  • attack.mitre.org2 (20%)
  • microsoft.com2 (20%)
  • bleepingcomputer.com1 (10%)
  • isc.sans.edu1 (10%)
  • permiso.io1 (10%)
  • pushsecurity.com1 (10%)
  • redcanary.com1 (10%)
  • sysdig.com1 (10%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

All cited sources (10)

Entries about ACR Stealer (4)

2026-07-17 · view entry permalink →

NOTABLENATOB2

Microsoft: two parallel ACR Stealer intrusion chains — WebDAV/rundll32/Python with blockchain dead-drop C2, and a fileless MSHTA/steganography chain — both rooted in ClickFix

Microsoft Defender Experts documented two ACR Stealer delivery campaigns observed across customer environments from late April to mid-June 2026; ACR Stealer is a malware-as-a-service infostealer Microsoft states is "reportedly ... associated with the rebranding of Amatera Stealer" (Microsoft Threat Intelligence, 2026-07-16). Both begin with the same ClickFix lure (malvertising/SEO poisoning) but diverge sharply. In Chain 1 the ClickFix command spawns cmd.exe, which invokes rundll32.exe to load a DLL from a remote WebDAV share over HTTPS using a GUID-based directory structure disguised as legitimate resources; the most evasive variant launches through conhost.exe --headless with delayed-expansion obfuscation. A heavily obfuscated PowerShell stage downloads a ZIP into a masqueraded %LocalAppData%\Temp directory (e.g. "LogiOptionsPlus"), runs a bundled pythonw.exe, persists via a hidden scheduled task disguised as a software update, timestomps against notepad.exe and clears PowerShell history; a subset adds an "EtherHiding" loader that queries public blockchain RPC endpoints as a dead-drop resolver so infrastructure can rotate without redeploying malware. Chain 2 is fileless throughout: mshta.exe fetches remote HTA content whose VBScript decodes and launches in-memory PowerShell, and its distinguishing technique is steganographic delivery — a JPEG pulled from an image host carries an encrypted payload in its pixel data, decrypted and executed in memory via runtime-resolved LoadLibrary/VirtualAlloc/CreateThread. Both chains converge on DPAPI-based decryption of Chromium-based browser credential stores (passwords, cookies, auth tokens) plus enumeration of PDFs, M365 documents and OneDrive/SharePoint-synced data for exfiltration.

ACR Stealer is an information-stealing malware family reportedly offered through a malware-as-a-service (MaaS) model and associated with the rebranding of Amatera Stealer.

A notable variation in this campaign is the use of blockchain services for C2 resolution, utilizing a technique known as EtherHiding.

The malware (injected code) aggressively harvests information from browser credential stores. It invokes Windows Data Protection API (DPAPI) routines to decrypt locally stored browser passwords, cookies, and authentication tokens.

Microsoft Threat Intelligence
research17 Jul 04:35Zsingle-sourceOpen finding ↗

2026-05-30 · view entry permalink →

NOTABLE

LLMShare malvertising campaign: attackers embed fake outage pages in ChatGPT share links and serve infostealer downloads via Google Ads

Push Security documented LLMShare, a malvertising campaign in which attackers buy Google Ads targeting "ChatGPT" and "ChatGPT download" queries (Push Security, 2026-05-29; BleepingComputer, 2026-05-29). Victims clicking the ads land on legitimate chatgpt.com/s/[unique-id] share URLs that render attacker-controlled HTML — a fake high-traffic outage page with a "Download our desktop app to continue" button — directly from the OpenAI domain. Because chatgpt.com is trusted by enterprise web-filtering rules and firewalls, the landing page is not blocked. The download button redirects to an attacker-controlled domain impersonating OpenAI; the site uses cloaking (serves a benign page to scanners). Windows users receive an infostealer payload. The technique exploits the same ChatGPT Artifacts/sharing feature previously abused in the ACR Stealer campaign (covered 2026-05-26) and extends it to malvertising. Detection: monitor for browser-spawned executable downloads from chatgpt.com domains — legitimate ChatGPT desktop app downloads do not originate from that path; alert on unusual process launch from browser-extracted or browser-downloaded unsigned executables. MITRE ATT&CK: T1566.002, T1204.001, T1036, T1027.

threat30 May 05:00Zmulti-sourceOpen finding ↗

2026-05-26 · view entry permalink →

NOTABLE

ACR Stealer distributed through counterfeit Claude AI download pages promoted by malicious search ads

SANS ISC handler Brad Duncan documented a delivery chain that impersonates Anthropic's Claude desktop app via counterfeit "Download for Windows" pages, promoted through malicious search ads hosted on sites.google.com, ultimately dropping ACR Stealer (SANS Internet Storm Center, 2026-05-26). Clicking the download button delivers a corrupted ZIP archive containing obfuscated PowerShell; the infection chain also involves a JPEG image whose precise role the SANS ISC analyst could not characterise (no embedded data was identified in it), and ends in execution of the commodity infostealer ACR Stealer, which harvests credentials and browser data (T1566.002, T1059.001). [SINGLE-SOURCE] — reported by SANS ISC only at time of writing.

Why it matters to us: this is the demand-side mirror of the TrapDoor item above — attackers monetising trust in AI tooling, here against ordinary employees searching for an AI client rather than developers. Add Anthropic/Claude and other AI-brand impersonation to brand-abuse and malvertising monitoring; hunt for powershell.exe spawned from browser-download or archive-extraction paths (Sysmon EID 1 / Windows 4688, especially with -nop/-w hidden/-enc), PowerShell reading image files as code, and outbound connections from powershell.exe to newly-registered domains.

threat26 May 05:00Zsingle-sourceOpen finding ↗

Earlier coverage (1)