2026-07-17 · view entry permalink →
Microsoft: two parallel ACR Stealer intrusion chains — WebDAV/rundll32/Python with blockchain dead-drop C2, and a fileless MSHTA/steganography chain — both rooted in ClickFix
Microsoft Defender Experts documented two ACR Stealer delivery campaigns observed across customer environments from late April to mid-June 2026; ACR Stealer is a malware-as-a-service infostealer Microsoft states is "reportedly ... associated with the rebranding of Amatera Stealer" (Microsoft Threat Intelligence, 2026-07-16). Both begin with the same ClickFix lure (malvertising/SEO poisoning) but diverge sharply. In Chain 1 the ClickFix command spawns cmd.exe, which invokes rundll32.exe to load a DLL from a remote WebDAV share over HTTPS using a GUID-based directory structure disguised as legitimate resources; the most evasive variant launches through conhost.exe --headless with delayed-expansion obfuscation. A heavily obfuscated PowerShell stage downloads a ZIP into a masqueraded %LocalAppData%\Temp directory (e.g. "LogiOptionsPlus"), runs a bundled pythonw.exe, persists via a hidden scheduled task disguised as a software update, timestomps against notepad.exe and clears PowerShell history; a subset adds an "EtherHiding" loader that queries public blockchain RPC endpoints as a dead-drop resolver so infrastructure can rotate without redeploying malware. Chain 2 is fileless throughout: mshta.exe fetches remote HTA content whose VBScript decodes and launches in-memory PowerShell, and its distinguishing technique is steganographic delivery — a JPEG pulled from an image host carries an encrypted payload in its pixel data, decrypted and executed in memory via runtime-resolved LoadLibrary/VirtualAlloc/CreateThread. Both chains converge on DPAPI-based decryption of Chromium-based browser credential stores (passwords, cookies, auth tokens) plus enumeration of PDFs, M365 documents and OneDrive/SharePoint-synced data for exfiltration.
ACR Stealer is an information-stealing malware family reportedly offered through a malware-as-a-service (MaaS) model and associated with the rebranding of Amatera Stealer.
A notable variation in this campaign is the use of blockchain services for C2 resolution, utilizing a technique known as EtherHiding.
The malware (injected code) aggressively harvests information from browser credential stores. It invokes Windows Data Protection API (DPAPI) routines to decrypt locally stored browser passwords, cookies, and authentication tokens.