Full Report
ACR Stealer, an infostealer in circulation since 2024, is walking out of enterprise networks with saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders. It gets in because someone pasted a command into a Run box and pressed Enter. Microsoft laid out two of the delivery chains on Thursday. Its Defender Experts team, the
Analysis Summary
# Tool/Technique: ACR Stealer
## Overview
ACR Stealer is a sophisticated information stealer circulating since 2024 that targets enterprise environments. It specializes in the exfiltration of browser credentials, live session tokens, and sensitive documents from local directories and cloud-synced services like OneDrive and SharePoint. The malware is primarily delivered through "ClickFix" social engineering lures that trick users into executing malicious commands directly in the Windows "Run" box.
## Technical Details
- **Type:** Malware family (Infostealer)
- **Platform:** Windows (with some lures also targeting macOS)
- **Capabilities:** Credential theft, session hijacking, document exfiltration (PDF, M365), steganography, fileless execution, and DPAPI decryption.
- **First Seen:** Early 2024 (Increased activity noted April–June 2026)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1204.001 - User Execution: Malicious Link
- T1566.002 - Phishing: Spearphishing Link (ClickFix lures)
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- T1218.005 - System Binary Proxy Execution: Mshta
- T1218.011 - System Binary Proxy Execution: Rundll32
- **TA0005 - Defense Evasion**
- T1027.003 - Obfuscation: Steganography (Payload in JPEG pixels)
- T1620 - Reflective Code Loading
- T1027.002 - Software Packing
- **TA0006 - Credential Access**
- T1555.003 - Credentials from Web Browsers
- T1552.004 - Unsecured Credentials: Private Keys (DPAPI)
## Functionality
### Core Capabilities
- **Browser Harvesting:** Extracts `Login Data` and `Web Data` from Google Chrome and Microsoft Edge.
- **Credential Decryption:** Uses the Windows Data Protection API (DPAPI) to decrypt stored passwords, cookies, and authentication tokens.
- **File Exfiltration:** Automatically targets and steals PDFs and Microsoft 365 documents located in "Desktop" and "Downloads" folders.
- **Cloud Integration Theft:** Capable of stealing files from synced OneDrive and SharePoint folders.
### Advanced Features
- **Steganography:** One delivery chain hides its encrypted payload within the pixel data of a JPEG image hosted on public image-hosting services (e.g., ImgBB).
- **Fileless Execution:** Utilizes reflective DLL injection to run the malware entirely in memory, leaving no traces on the physical disk in specific variants.
- **Evasive Delivery:** Uses `pushd` to mount remote WebDAV shares as local drives to bypass certain path-based detection rules.
- **Headless Execution:** Employs `conhost.exe --headless` and delayed environment-variable expansion to hide console windows and command strings from detection.
## Indicators of Compromise
- **File Names:** `google.ct`, `pythonw.exe`, `LogiOptionsPlus`, `ck-[random].google`
- **Network Indicators:**
- `creativecommunityinfo[.]art` (Payload Host)
- `enhanceblabber[.]cc` (C2 Server)
- `sphere-api[.]dialectosphere[.]in[.]net` (WebDAV Host)
- `claude-desktop[.]gitlab[.]io` (Phishing/Lure)
- `sites[.]google[.]com/view/[unique_id]` (Lure Landing Page)
- **Behavioral Indicators:**
- Spawning of `mshta.exe` through a command pasted into the `Run` box.
- Unexpected PowerShell execution with certificate validation disabled.
- Mount/unmount activity using `pushd` and `popd` to external HTTPS WebDAV shares.
## Associated Threat Actors
- While specific named groups are not identified in the report, the tool is heavily associated with **ClickFix** campaign operators and actors utilizing fake AI assistant lures (e.g., Anthropic Claude, Claude Code).
## Detection Methods
- **Behavioral Detection:** Monitor for `mshta.exe` or `rundll32.exe` reaching out to external WebDAV shares via HTTPS.
- **Process Monitoring:** Detect `rundll32.exe` executed with ordinal exports (e.g., `rundll32.exe ...,#1`) or `conhost.exe` with the `--headless` flag.
- **Image Analysis:** Inspect suspiciously high-frequency downloads of small JPEG files from hosting sites that are immediately followed by reflective loading behaviors.
## Mitigation Strategies
- **User Education:** Train employees to never paste content from a website into the Windows "Run" box or PowerShell terminal (anti-ClickFix training).
- **Identity Management:** If a compromise is suspected, **revoke all active session tokens** rather than just performing a password reset.
- **Attack Surface Reduction:** Block access to known WebDAV-related protocols over the internet and restrict the use of `mshta.exe` where not required for business operations.
## Related Tools/Techniques
- **Lumma Stealer:** Similar infostealer often using similar delivery mechanisms.
- **ClickFix:** A burgeoning social engineering technique mimicking browser/software "fixes."
- **HijackLoader:** Often used in conjunction with steganography-based delivery chains.