Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    WordPress Core “wp2shell” RCE flaws get public exploits, patch now

    July 18, 2026

    Update now: 7-Zip fixes RCE flaw exploitable with malicious archives

    July 18, 2026

    Ancient Princesses Were Weapon-Wielding Badasses, Scientists Discover

    July 18, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»Microsoft warns of surge in ACR Stealer attacks on customers
    News

    Microsoft warns of surge in ACR Stealer attacks on customers

    adminBy adminJuly 18, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Microsoft warns of surge in ACR Stealer attacks on customers

    Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers.

    Between late April and mid-June, the threat actor used the ClickFix social-engineering method, WebDAV servers, and the MSHTA (Microsoft HTML Application Host) utility to deliver the info-stealing payload.

    ACR Stealer is a malware-as-a-service (MaaS) operation believed to be a rebranding of the Amatera Stealer malware.

    image

    ACR Stealer attacks

    While there are multiple delivery methods for the malware, Microsoft highlights two intrusion chains as the most prevalent for ACR Stealer.

    The first campaign starts with a ClickFix lure that executes a command to run a malicious DLL from a remote WebDAV share using rundll32.exe.

    Threat actors abusing WebDAV is a common tactic, seen in past attacks delivering Bumblebee and Voldemort malware.

    In a report this week, Microsoft says that the threat actor typically uses a GUID-based directory structure and filenames in the WebDAV path to mimic legitimate resources (for example, google.ct) and blend the activity with expected network traffic.

    After establishing communication with the command-and-control (C2) infrastructure, “a heavily obfuscated PowerShell script” is executed to launch a malware installer and establish persistence.

    The routine installs a bundled Python loader, creates a scheduled task masked as a software update, manipulates timestamps, clears PowerShell history, and injects the final payload into a system process for in-memory execution.

    Some variants use public blockchain services as dead-drop resolvers to obtain updated payload locations or C2 addresses, a popular technique also known as “EtherHiding.”

    For the second delivery chain, the threat actor uses ClickFix to launch MSHTA, which retrieves malicious content from the attacker’s server and executes an obfuscated PowerShell downloader.

    The malware then extracts an encrypted payload concealed inside a publicly hosted steganographic JPEG image and executes it directly in memory.

    Despite the differences, the objective remains stealing sensitive data:

    • Steal passwords, cookies, session data, and authentication tokens stored on web browsers
    • Decrypt browser data through the Windows Data Protection API DPAPI
    • Access Chromium browser databases on Chrome and Edge
    • Search for PDFs and Microsoft 365 documents
    • Collect files from the Desktop and Downloads folders
    • Target enterprise-synchronized OneDrive and SharePoint directories

    All data is collected and then archived in preparation to be exfiltrated to the attacker.

    Overview of the ACR Stealer attacks
    Overview of the ACR Stealer attacks
    Source: Microsoft

    “These two campaigns represent some of the most prevalent ACR Stealer delivery campaigns observed by Defender Experts; however, they do not represent the full range of delivery methods used by this malware family,” Microsoft warns, noting that additional execution chains are very likely to exist.

    As a general defense rule against ClickFix attacks, users should avoid copying and executing instructions in command interpreters, especially when they claim to fix an error or to verify that they are human.

    Microsoft recommends that organizations reduce exposure to web-based delivery chains by enforcing filters, blocking low-reputation or new domains, and restricting access to online resources that are not required for business operations.

    Application control rules can restrict launching content from a remote resource using tools like PowerShell, Python, mshta.exe, or rundll32.exe, especially from user-writeable paths.

    Microsoft’s report provides a larger list of recommended mitigations along with a set of indicators of compromise specific for the observed ACR Stealer activity.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleDepartment of National Defence/Canadian Armed Forces’s Open source intelligence Activities
    Next Article Ancient Princesses Were Weapon-Wielding Badasses, Scientists Discover
    admin
    • Website

    Related Posts

    News

    WordPress Core “wp2shell” RCE flaws get public exploits, patch now

    July 18, 2026
    News

    Update now: 7-Zip fixes RCE flaw exploitable with malicious archives

    July 18, 2026
    News

    Ancient Princesses Were Weapon-Wielding Badasses, Scientists Discover

    July 18, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Our Picks

    WordPress Core “wp2shell” RCE flaws get public exploits, patch now

    July 18, 2026

    Update now: 7-Zip fixes RCE flaw exploitable with malicious archives

    July 18, 2026

    Ancient Princesses Were Weapon-Wielding Badasses, Scientists Discover

    July 18, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.