Back to Feed
MalwareJul 18, 2026

Microsoft warns of surge in ACR Stealer attacks on customers

Microsoft warns of surge in ACR Stealer malware attacks targeting enterprise customers via ClickFix and WebDAV delivery.

Summary

Microsoft has observed a significant surge in ACR Stealer malware attacks between late April and mid-June 2026, targeting enterprise customers to steal browser passwords, authentication tokens, and sensitive documents. The threat actor employs ClickFix social engineering, WebDAV servers, and MSHTA utility to deliver the info-stealing payload through two primary intrusion chains. ACR Stealer is believed to be a rebranded variant of Amatera Stealer and uses advanced evasion techniques including obfuscated PowerShell, blockchain dead-drop resolvers, and steganographic image embedding.

Full text

Microsoft warns of surge in ACR Stealer attacks on customers By Bill Toulas July 18, 2026 10:17 AM 0 Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers. Between late April and mid-June, the threat actor used the ClickFix social-engineering method, WebDAV servers, and the MSHTA (Microsoft HTML Application Host) utility to deliver the info-stealing payload. ACR Stealer is a malware-as-a-service (MaaS) operation believed to be a rebranding of the Amatera Stealer malware. ACR Stealer attacks While there are multiple delivery methods for the malware, Microsoft highlights two intrusion chains as the most prevalent for ACR Stealer. The first campaign starts with a ClickFix lure that executes a command to run a malicious DLL from a remote WebDAV share using rundll32.exe. Threat actors abusing WebDAV is a common tactic, seen in past attacks delivering Bumblebee and Voldemort malware. In a report this week, Microsoft says that the threat actor typically uses a GUID-based directory structure and filenames in the WebDAV path to mimic legitimate resources (for example, google.ct) and blend the activity with expected network traffic. After establishing communication with the command-and-control (C2) infrastructure, "a heavily obfuscated PowerShell script" is executed to launch a malware installer and establish persistence. The routine installs a bundled Python loader, creates a scheduled task masked as a software update, manipulates timestamps, clears PowerShell history, and injects the final payload into a system process for in-memory execution. Some variants use public blockchain services as dead-drop resolvers to obtain updated payload locations or C2 addresses, a popular technique also known as “EtherHiding.” For the second delivery chain, the threat actor uses ClickFix to launch MSHTA, which retrieves malicious content from the attacker's server and executes an obfuscated PowerShell downloader. The malware then extracts an encrypted payload concealed inside a publicly hosted steganographic JPEG image and executes it directly in memory. Despite the differences, the objective remains stealing sensitive data: Steal passwords, cookies, session data, and authentication tokens stored on web browsers Decrypt browser data through the Windows Data Protection API DPAPI Access Chromium browser databases on Chrome and Edge Search for PDFs and Microsoft 365 documents Collect files from the Desktop and Downloads folders Target enterprise-synchronized OneDrive and SharePoint directories All data is collected and then archived in preparation to be exfiltrated to the attacker. Overview of the ACR Stealer attacksSource: Microsoft “These two campaigns represent some of the most prevalent ACR Stealer delivery campaigns observed by Defender Experts; however, they do not represent the full range of delivery methods used by this malware family,” Microsoft warns, noting that additional execution chains are very likely to exist. As a general defense rule against ClickFix attacks, users should avoid copying and executing instructions in command interpreters, especially when they claim to fix an error or to verify that they are human. Microsoft recommends that organizations reduce exposure to web-based delivery chains by enforcing filters, blocking low-reputation or new domains, and restricting access to online resources that are not required for business operations. Application control rules can restrict launching content from a remote resource using tools like PowerShell, Python, mshta.exe, or rundll32.exe, especially from user-writeable paths. Microsoft's report provides a larger list of recommended mitigations along with a set of indicators of compromise specific for the observed ACR Stealer activity. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: New ClickLock macOS malware traps users into revealing login passwordNearly 300 GitHub repos pose as legit software to push malwareNew CrashStealer malware poses as Apple crash reporting toolCritical SimpleHelp flaw exploited to deploy new stealer malwareSteam Workshop abused to spread malware via Wallpaper Engine app

Indicators of Compromise

  • malware — ACR Stealer
  • malware — Amatera Stealer
  • malware — Bumblebee
  • malware — Voldemort

Entities

Microsoft (vendor)Microsoft Defender (product)WebDAV (technology)MSHTA (technology)PowerShell (technology)ACR Stealer Campaign (campaign)