Microsoft said it has seen a surge in attacks using ACR Stealer to steal browser passwords, authentication tokens and sensitive documents from enterprise customers, with activity observed between late April and mid-June.
KEY FACTS
- Malware ACR Stealer is a malware-as-a-service operation believed to be a rebranding of Amatera Stealer.
- Delivery Microsoft said the most common chains used ClickFix, WebDAV servers and MSHTA.
- Targets The malware sought browser data, PDFs, Microsoft 365 files and cloud-synced documents.
- Methods Some variants used blockchain services for payload locations, a technique known as EtherHiding.
The report, a technical analysis from Microsoft, said one campaign used a ClickFix lure to run a malicious DLL from a remote WebDAV share with rundll32.exe. Microsoft said the path often used GUID-based directories and filenames designed to resemble legitimate resources.
After contact with command-and-control infrastructure, the malware used a heavily obfuscated PowerShell script to install a Python loader, create persistence through a scheduled task disguised as a software update, alter timestamps and clear PowerShell history. The final payload was then injected into a system process for in-memory execution.
In a second chain, ClickFix launched MSHTA, which retrieved malicious content from an attacker server and started an obfuscated PowerShell downloader. The malware then extracted an encrypted payload hidden inside a publicly hosted JPEG image and executed it in memory.
Across the observed activity, the malware aimed to steal passwords, cookies, session data and authentication tokens from browsers, decrypt browser data with DPAPI, access Chromium databases on Chrome and Edge, search for PDFs and Microsoft 365 documents and collect files from Desktop, Downloads and synchronized OneDrive and SharePoint folders. The data was then archived for exfiltration.
WHY IT MATTERS
The disclosure shows how attackers are combining social engineering with common Windows utilities and cloud services to blend in with normal activity. Microsoft advised organizations to limit web-based delivery chains, restrict risky tools and block low-reputation domains, while warning that other delivery methods likely exist.

