[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7r-Gj6zeaLlo2BQTJSzgBhusp1OIdYxg8oKcmJHe1bA":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"fb6a49a2-7f92-4e35-8a84-1de473225ca9","ACR Stealer: Two observed intrusion chains amid increased threat activity","acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity-880977","From late April 2026 to mid-June 2026, Microsoft Defender Experts observed increased ACR Stealer activity across customer environments. These campaigns are successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents from enterprise environments. The post ACR Stealer: Two observed intrusion chains amid increased threat activity appeared first on Microsoft Security Blog.","From late April to mid-June 2026, Microsoft Defender Experts observed increased ACR Stealer activity leveraging ClickFix social engineering to compromise enterprise environments. Two distinct intrusion chains were identified: one using WebDAV-delivered payloads with Python loaders and blockchain-backed C2, and another employing MSHTA and obfuscated PowerShell with steganography. Both campaigns target browser credentials, authentication tokens, and sensitive documents.","ACR Stealer malware campaigns using ClickFix lures to steal credentials from enterprise environments.","Share Link copied to clipboard! TagsClickFixMalwareSocial engineeringContent typesResearchProducts and servicesMicrosoft DefenderMicrosoft Defender Experts for XDRMicrosoft Security ExpertsTopicsActionable threat insightsDefending against advanced tacticsThreat intelligence From late April 2026 to mid-June 2026, Microsoft Defender Experts observed increased ACR Stealer activity across customer environments. These campaigns are successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents from enterprise environments. Successful compromise can expose browser credentials, session tokens, authentication artifacts, and sensitive enterprise data, potentially enabling account compromise, unauthorized access to cloud resources, and follow-on intrusion activity. Security teams should prioritize monitoring for ClickFix lures, suspicious WebDAV activity, obfuscated PowerShell execution, and attempts to access browser credential stores. ACR Stealer is an information-stealing malware family reportedly offered through a malware-as-a-service (MaaS) model and associated with the rebranding of Amatera Stealer. During this period, two campaigns stand out, together appearing frequently in reviewed recent intrusions. Both begin the same way, with a ClickFix social engineering technique that tricks targets into running the threat actor’s command, but the intrusion chains that follow diverge in how they deliver payloads, establish execution, and evade detection. The first campaign relies on WebDAV-delivered payloads, staged PowerShell, Python-based loaders and persistence, and, in some intrusions, blockchain-backed dead-drop command-and-control (C2) resolution. The second campaign takes a more fileless route, using MSHTA, obfuscated PowerShell, and steganography-assisted in-memory execution. Despite these differences, both campaigns ultimately pursue the same goal: stealing browser-stored credentials and other sensitive data for exfiltration. These two campaigns represent some of the most prevalent ACR Stealer delivery campaigns observed by Defender Experts; however, they do not represent the full range of delivery methods used by this malware family. Attribution to ACR Stealer is based on the observed behavior and post-exploitation tradecraft, corroborated by open-source intelligence on the infrastructure associated with this malware family. Additional campaigns, infrastructure patterns, and execution chains are likely active, and organizations should treat the indicators and techniques described here as representative. Microsoft Defender for Endpoint can help surface both campaigns through behavioral coverage for living-off-the-land execution, suspicious WebDAV and MSHTA activity, obfuscated PowerShell, scheduled-task persistence, in-memory payload execution, and browser credential theft. In this blog, we analyze both campaigns in detail, including their delivery mechanisms, post-exploitation tradecraft, indicators of compromise, hunting opportunities, and guidance to help defenders detect and disrupt related activity in their environments. Campaign 1: WebDAV-based ClickFix with Python loaders and blockchain C2 Initial access In this campaign, a ClickFix prompt, likely delivered through malvertising or SEO-manipulated search results, instructs the target user to run a command that launches cmd.exe. The command subsequently invokes rundll32.exe to load a DLL from a remote WebDAV share accessed over HTTPS. The WebDAV path commonly uses a GUID-based directory structure and filenames designed to resemble legitimate resources (for example, google.ct), enabling the activity to blend with expected network traffic and evade casual inspection. We observed three variants of the initial execution command: Variant 1: Direct rundll32 invocation Variant 2: pushd-Mounted WebDAV Share Variant 3: Headless and obfuscated pushd execution Variants 2 and 3 are notable for their use of pushd, which transparently maps the remote WebDAV share to a temporary local drive prior to execution. This technique allows threat actors to execute remotely hosted content through what appears to be a local path, simplifying payload execution while reducing user awareness. In the more advanced variant, threat actors further enhance stealth by launching commands through conhost.exe –headless, suppressing visible console windows, and employing environment variable obfuscation with delayed variable expansion to conceal critical execution components such as pushd, rundll32, and the remote host name. Combined with minimized or headless execution, these techniques reduce user visibility, complicate static analysis and detection, and enable the infection chain to execute with minimal indication to the victim. Execution, persistence, and evasion through process masquerading Once rundll32.exe loads the DLL retrieved from the remote server, the malware establishes communication with threat actor-controlled infrastructure and executes a heavily obfuscated PowerShell script. The script employs excessive arithmetic no-ops, dead loops, fake control flow, and randomized variable names to hinder static analysis and evade signature-based detection. The PowerShell script subsequently deploys another stage that functions as both a malware installer and a persistence mechanism. It: Downloads a ZIP-packaged payload from a remote server and extracts it into a deceptive directory under %LocalAppData%\\Temp (for example, LogiOptionsPlus). Launches a Python script using a bundled pythonw.exe instance to avoid displaying a console window. Removes previous deployments and terminates running instances before installation, effectively operating as an updater. Establishes persistence through a hidden scheduled task disguised as a legitimate software update, ensuring execution at user sign-in. Copies timestamps from a trusted Windows binary (notepad.exe) to the deployed files and clears PowerShell command history to reduce forensic visibility. PowerShell loader downloads and executes a payload through a masqueraded scheduled task. Python loader launching the stealer The Python component serves as a heavily obfuscated loader designed to conceal its true functionality until runtime. It employs multiple layers of defense against static analysis, including dynamic API resolution, encoded string reconstruction, junk-data removal, character shifting, string reversal, Base64 decoding, and zlib decompression. These techniques ensure that the embedded payload remains unreadable in its static form and is reconstructed only during execution, significantly hindering signature-based detection and automated analysis. Once decoded, the final-stage payload functions as an in-memory shellcode loader. It extracts an archive file masquerading as a legitimate application installer, reads a file from the archive, and injects the payload into a system process. The loader allocates executable memory using VirtualAlloc, copies the payload into the allocated memory region, and transfers execution through the Windows Fiber API (ConvertThreadToFiber, CreateFiber, and SwitchToFiber). This technique facilitates stealthy in-memory execution while minimizing artifacts written to disk. Decoded Python shellcode loader using VirtualAlloc and Fiber-based execution. Credential theft and data staging for exfiltration The malware (injected code) aggressively harvests information from browser credential stores. It invokes Windows Data Protection API (DPAPI) routines to decrypt locally stored browser passwords, cookies, and authentication tokens. It also enumerates files across the system, targeting PDFs, Microsoft 365 documents, and data stored in enterprise-synchronized directories such as OneDrive and SharePoint. The collected data is subsequently archived, indicating preparation for exfiltration. Blockchain dead-drop C2 resolution A notable variation in this campaign is the use of blockchain services for C2 resolution, util","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F07\u002F16\u002Facr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity\u002F","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002Fwp-content\u002Fuploads\u002F2026\u002F03\u002FMS_Actional-Insights_Phishing-social-engineering.jpg","2026-07-16T23:12:02+00:00","2026-07-17T02:00:15.588658+00:00",8,[18,21,24,26,29],{"name":19,"type":20},"Microsoft","vendor",{"name":22,"type":23},"Microsoft Defender","product",{"name":25,"type":23},"Microsoft Defender for Endpoint",{"name":27,"type":28},"WebDAV","technology",{"name":30,"type":28},"PowerShell","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":31,"icon":33,"name":34,"slug":35},null,"Malware","malware",[37,42],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":43},{"id":44,"icon":33,"name":45,"slug":46},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[48,51,54],{"type":35,"value":49,"context":50},"ACR Stealer","Information-stealing malware family offered as MaaS, associated with rebranding of Amatera Stealer",{"type":35,"value":52,"context":53},"ClickFix","Social engineering lure technique used to trick targets into executing threat actor commands",{"type":35,"value":55,"context":56},"Amatera Stealer","Predecessor malware family rebranded as ACR Stealer"]