How ACR Stealer Attacks Blend Social Engineering and Stealth
Microsoft's Defender Experts team recently warned of a significant surge in ACR Stealer attacks targeting enterprise customers, observed between late April and mid-June 2026. Users might be expected to be wary of "ClickFix" lures by now, but attackers are refining their presentation, often impersonating AI assistants or using malvertising. These attacks remain effective, especially when they lead to stolen accounts and M365 files. These attacks underscore the persistent effectiveness of social engineering, even against technically sophisticated targets, leading to the theft of accounts and M365 files.
The Incident: ACR Stealer Attacks Rebranded and Resurgent
Microsoft's warning doesn't concern a novel, zero-day exploit. ACR Stealer, a malware-as-a-service operation, has been active since 2024. It has operated under various aliases, including Amatera Stealer and AcridRain, with some tracing its lineage back to GrMsk Stealer. This continuous rebranding is a standard tactic for threat actors seeking to evade detection. Its sustained activity and effectiveness are evident; Red Canary's April 2026 telemetry, for instance, showed ACR Stealer attacks tied for sixth on its most-prevalent-threat list.
The core issue here isn't a software vulnerability. There aren't any CVEs associated with these ACR Stealer attacks. Instead, the malware operates by inheriting the permissions of the signed-in user. This inheritance of user privileges serves as the fundamental attack vector.
The Mechanism: ACR Stealer Attacks' Two Paths to Your Data
ACR Stealer attacks employ two primary intrusion chains, both initiated by social engineering.
Chain 1: The WebDAV Deception
This chain begins with a "ClickFix" lure. A user, attempting to resolve a minor software glitch, encounters a pop-up or malicious advertisement instructing them to paste a command into their Run box. Executing this command directly runs a malicious DLL from a remote WebDAV share via rundll32.exe. Attackers often use GUID-based directory structures and filenames like google.ct within the WebDAV paths to mimic legitimate resources, facilitating these ACR Stealer attacks.
Once the DLL executes, it establishes communication with the command-and-control (C2) infrastructure. Subsequently, a heavily obfuscated PowerShell script initiates. This script installs a bundled Python loader and creates a scheduled task for persistence, often masquerading as a software update. To obscure its presence, it manipulates file timestamps by copying them from legitimate executables like notepad.exe and clears PowerShell history.
The final payload is then reflectively injected into a system process, operating in memory via mechanisms like the Windows Fiber API to bypass disk-based detection. Some variants even use public blockchain services (e.g., EtherHiding) as dead-drop resolvers for updated payload locations or C2 addresses—a sophisticated technique for an infostealer.
Chain 2: Steganography and Fileless Execution
The second chain also starts with a ClickFix lure, but this variant launches mshta.exe. The mshta.exe process retrieves malicious content from the attacker's server. An obfuscated PowerShell downloader then takes over, extracting an encrypted payload hidden within a publicly hosted steganographic JPEG image. The payload is embedded within the image's pixels. It then executes this payload directly in memory. This fileless approach significantly complicates detection by traditional endpoint security solutions.
Both the WebDAV and steganography chains share the same ultimate goal: executing code with the user's permissions.
The Impact: Data Exfiltration Targets
Once ACR Stealer attacks are operational, they target high-value data:
- Browser Data: Passwords, cookies, session data, and authentication tokens from web browsers like Chrome and Edge. It utilizes DPAPI to decrypt this information.
- Documents: PDF files and Microsoft 365 documents.
- Local Files: Content from Desktop and Downloads folders.
- Cloud Sync: Files synchronized via enterprise OneDrive and SharePoint directories.
All collected data is archived and then exfiltrated to the attacker. The practical consequence is direct access to sensitive information and accounts if an organization relies on browser-based authentication or cloud storage. This directly impacts both personal and corporate assets.
The Response: Practical Mitigations
Microsoft has provided clear recommendations for mitigation.
The first line of defense is user behavior: avoid copying and executing random commands. The "ClickFix" lure is specifically designed to induce this action. If instructions prompt you to paste commands into an interpreter, particularly for an "error fix," refrain from doing so. Organizations can reinforce this by removing the Run prompt via GPO or by blocking mshta.exe through AppLocker or WDAC.
In addition to user awareness, organizations must reduce exposure to web-based delivery. This involves enforcing web filters, blocking low-reputation or newly registered domains, and restricting access to non-essential online resources.
Application control is also critical. Implement rules that restrict tools like PowerShell, Python, mshta.exe, or rundll32.exe from launching content from remote sources, especially from user-writeable paths such as Downloads or Temp. Implementing these controls establishes a critical defense layer.
If a host is suspected of compromise, immediate actions include:
- Isolating the host.
- Rotating all affected credentials.
- Revoking authentication tokens. Revoking authentication tokens is crucial; simply changing passwords is insufficient if ACR Stealer has already exfiltrated active tokens.
- Checking outbound connections to remote shares and image-hosting services for suspicious activity.
Microsoft's report also included three Defender XDR hunting queries and 16 campaign domains. These should be actively utilized. Look for rundll32.exe executing without command-line parameters while initiating network connections, scheduled tasks masquerading as software updates, timestomping activity, and PowerShell history clearing. These serve as reliable indicators of compromise for ACR Stealer attacks.
ACR Stealer attacks demonstrate that the combination of social engineering and technical stealth remains a potent threat. It exploits human trust, then employs sophisticated, fileless, and even blockchain-backed methods to evade detection. Effective defense requires a dual approach: enhanced user education to resist initial lures, coupled with robust application control and proactive hunting capabilities to detect malware that inevitably bypasses initial defenses. Failing to address both aspects will leave organizations vulnerable.