Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Warns of ACR Stealer Malware Surge Targeting Enterprise Customers

A laptop sits open on a low table in a modern corporate office lobby.

“These two campaigns represent some of the most prevalent ACR Stealer delivery campaigns observed by Defender Experts; however, they do not represent the full range of delivery methods used by this malware family,” Microsoft warns.

Microsoft: surge, timeline, and actor characterisation

Microsoft has reported a surge in attacks using the ACR Stealer malware against its enterprise customers between late April and mid‑June. The company describes ACR Stealer as a malware‑as‑a‑service (MaaS) operation and says it is believed to be a rebranding of the Amatera Stealer malware. Attackers delivering ACR Stealer have relied on social‑engineering lures, public hosting services, and legitimate Windows utilities to place and execute the info‑stealing payload.

Two prevalent delivery chains: WebDAV + rundll32 and MSHTA + stego images

Microsoft highlights two intrusion chains as the most prevalent for the observed ACR Stealer activity.

  • In the first, attackers use a ClickFix lure that executes a command to run a malicious DLL from a remote WebDAV share using rundll32.exe. Microsoft notes the threat actor commonly relies on a GUID‑based directory structure and filenames in the WebDAV path that mimic legitimate resources (for example, google.ct) to blend with expected network traffic. Abusing WebDAV for initial delivery mirrors past campaigns that delivered Bumblebee and Voldemort malware.
  • In the second, the ClickFix lure launches MSHTA (Microsoft HTML Application Host), which retrieves malicious content from the attacker’s server and runs an obfuscated PowerShell downloader. That downloader extracts an encrypted payload hidden inside a publicly hosted steganographic JPEG and executes it directly in memory.

Despite differences in delivery, both chains proceed to contact command‑and‑control (C2) infrastructure and execute additional obfuscated scripts and loaders to finalize the intrusion.

Installation, persistence, and evasion techniques observed

After initial execution, Microsoft describes a consistent set of behaviors used to establish persistence and evade detection. Observed routines include execution of a heavily obfuscated PowerShell script that launches a malware installer, installation of a bundled Python loader, creation of a scheduled task masked as a software update, timestamp manipulation, and clearing of PowerShell history. The final payload is frequently injected into a system process and executed in memory. Some ACR Stealer variants use public blockchain services as dead‑drop resolvers for updated payload locations or C2 addresses — a technique Microsoft calls “EtherHiding.”

What ACR Stealer seeks to harvest

  • Passwords, cookies, session data, and authentication tokens stored in web browsers
  • Decryption of browser data via the Windows Data Protection API (DPAPI)
  • Access to Chromium browser databases on Chrome and Edge
  • Search and collection of PDFs and Microsoft 365 documents
  • Collection of files from Desktop and Downloads folders
  • Targeting of enterprise‑synchronized OneDrive and SharePoint directories

Microsoft says all harvested data is archived and prepared for exfiltration to attacker infrastructure.

Mitigations Microsoft recommends and detection realities

Microsoft offers concrete defensive steps aimed at reducing exposure to the web‑based delivery chains and the utilities attackers abuse. Recommended actions include:

  • Avoid copying and executing instructions in command interpreters, particularly when those instructions claim to “fix” an error or verify a user is human.
  • Enforce web filters, block low‑reputation or newly registered domains, and restrict access to online resources that are not required for business operations.
  • Use application control rules to restrict launching content from remote resources with tools such as PowerShell, Python, mshta.exe, or rundll32.exe — especially when execution would originate from user‑writable paths.

Microsoft’s report also includes a larger list of mitigations and a set of indicators of compromise specific to the ACR Stealer activity it observed.

Separately, the source notes a detection gap: security teams log 54% of successful attacks but alert on just 14%, underscoring how many intrusions can move through environments unseen.

What this means for security teams, enterprises, and end users

Security teams should monitor WebDAV access patterns, MSHTA invocation, and scheduled tasks masquerading as software updates; they should apply the application control and web‑filtering recommendations Microsoft provides. Enterprises and procurement leaders must consider restricting unnecessary remote‑resource access and vetting services that host content reachable from employee systems. End users should be trained not to paste and execute terminal or command‑line instructions received in prompts or “fix” messages and to report unusual prompts to their security teams.

Microsoft’s advisory closes on a cautionary note: the two chains it details are among the most prevalent but are not exhaustive. That leaves organizations with a concrete question—will defenders apply the recommended controls and monitoring to prevent ACR Stealer variants from exploiting other, unobserved execution paths?

Original story