ctipilot.ch
← Back to the live brief
NOTABLENATOB2research

Microsoft: two parallel ACR Stealer intrusion chains — WebDAV/rundll32/Python with blockchain dead-drop C2, and a fileless MSHTA/steganography chain — both rooted in ClickFix

discovered 2026-07-17 04:35 UTCrun 2026-07-17T0409Z-intel1 sourcesingle-source

Microsoft Defender Experts documented two ACR Stealer delivery campaigns observed across customer environments from late April to mid-June 2026; ACR Stealer is a malware-as-a-service infostealer Microsoft states is "reportedly ... associated with the rebranding of Amatera Stealer" (Microsoft Threat Intelligence, 2026-07-16). Both begin with the same ClickFix lure (malvertising/SEO poisoning) but diverge sharply. In Chain 1 the ClickFix command spawns cmd.exe, which invokes rundll32.exe to load a DLL from a remote WebDAV share over HTTPS using a GUID-based directory structure disguised as legitimate resources; the most evasive variant launches through conhost.exe --headless with delayed-expansion obfuscation. A heavily obfuscated PowerShell stage downloads a ZIP into a masqueraded %LocalAppData%\Temp directory (e.g. "LogiOptionsPlus"), runs a bundled pythonw.exe, persists via a hidden scheduled task disguised as a software update, timestomps against notepad.exe and clears PowerShell history; a subset adds an "EtherHiding" loader that queries public blockchain RPC endpoints as a dead-drop resolver so infrastructure can rotate without redeploying malware. Chain 2 is fileless throughout: mshta.exe fetches remote HTA content whose VBScript decodes and launches in-memory PowerShell, and its distinguishing technique is steganographic delivery — a JPEG pulled from an image host carries an encrypted payload in its pixel data, decrypted and executed in memory via runtime-resolved LoadLibrary/VirtualAlloc/CreateThread. Both chains converge on DPAPI-based decryption of Chromium-based browser credential stores (passwords, cookies, auth tokens) plus enumeration of PDFs, M365 documents and OneDrive/SharePoint-synced data for exfiltration.

ACR Stealer is an information-stealing malware family reportedly offered through a malware-as-a-service (MaaS) model and associated with the rebranding of Amatera Stealer.

A notable variation in this campaign is the use of blockchain services for C2 resolution, utilizing a technique known as EtherHiding.

The malware (injected code) aggressively harvests information from browser credential stores. It invokes Windows Data Protection API (DPAPI) routines to decrypt locally stored browser passwords, cookies, and authentication tokens.

Microsoft Threat Intelligence

ATT&CK mapping

15 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Execution TA0002
T1053.005Scheduled Task/Job: Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

overlap matrix · ATT&CK page ↗

T1059.001Command and Scripting Interpreter: PowerShell

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

overlap matrix · ATT&CK page ↗

T1059.006Command and Scripting Interpreter: Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

overlap matrix · ATT&CK page ↗

T1204.004User Execution: Malicious Copy and Paste

An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is "ClickFix," in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1053.005Scheduled Task/Job: Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1053.005Scheduled Task/Job: Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1027Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

overlap matrix · ATT&CK page ↗

T1027.003Obfuscated Files or Information: Steganography

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

overlap matrix · ATT&CK page ↗

T1036Masquerading

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

overlap matrix · ATT&CK page ↗

T1070.003Indicator Removal: Clear Command History

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

overlap matrix · ATT&CK page ↗

T1218.005System Binary Proxy Execution: Mshta

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code

overlap matrix · ATT&CK page ↗

T1218.011System Binary Proxy Execution: Rundll32

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).

overlap matrix · ATT&CK page ↗

T1620Reflective Code Loading

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1555.003Credentials from Password Stores: Credentials from Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

overlap matrix · ATT&CK page ↗

Collection TA0009
T1005Data from Local System

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

overlap matrix · ATT&CK page ↗

T1074.001Data Staged: Local Data Staging

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1102.001Web Service: Dead Drop Resolver

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.