Published on July 18, 2026

Microsoft Warns of Increased ACR Stealer Attacks Targeting Customers


Severity
High

Detail

Microsoft has identified a surge in activity involving ACR Stealer, an information-stealing malware targeting customers between late April and mid-June 2026. The malware has been used in campaigns that rely on ClickFix social engineering techniques to trick users into executing malicious commands.

ACR Stealer is associated with the evolution of Amatera Stealer and has been distributed through malware-as-a-service operations. Microsoft observed that threat actors used ACR Stealer to collect browser credentials, authentication tokens, and sensitive files from compromised environments.

The campaigns targeted enterprise users by using techniques designed to bypass security controls and maintain access to stolen information. Microsoft identified two separate intrusion chains involving ACR Stealer, including a WebDAV-based delivery method and an in-memory execution method.

How?

The first attack chain used ClickFix lures to convince users to execute commands through the Windows Run dialog. The executed command downloaded files from a WebDAV server, including Python-based loaders that were used to deploy ACR Stealer. The second attack chain also began with ClickFix but used a different execution method. Instead of writing the malware directly to disk, attackers retrieved a JPEG image containing an embedded payload. The malicious content was extracted and executed in memory.

After execution, ACR Stealer collected information from compromised systems, including browser credentials, authentication tokens, and files. Microsoft observed that the malware targeted data stored in synchronized Microsoft OneDrive and SharePoint folders. The malware also used additional techniques, including command-and-control communication through attacker-controlled infrastructure and methods designed to make detection more difficult.

Figure 1: Overview of the ACR Stealer attacks

Impact

ACR Stealer attacks can result in the theft of sensitive information from affected systems. The malware is capable of collecting browser credentials, authentication tokens and files stored on compromised devices. Microsoft also observed that the malware can target data associated with Microsoft 365 environments, including documents stored in synchronized OneDrive and SharePoint folders.

The theft of authentication information may allow attackers to access compromised accounts and use stolen data for further malicious activities.

Recommendations

Microsoft recommended organizations to:

  • Use Microsoft Defender protections and detection capabilities to identify ACR Stealer-related activity.
  • Monitor for suspicious ClickFix activity and malicious command execution.
  • Review indicators of compromise (IOCs) and hunting queries provided by Microsoft to detect potential infections.

Conclusion

Microsoft’s warning highlights the increasing use of ACR Stealer campaigns against customers through social engineering techniques. The malware’s ability to collect credentials, authentication tokens, and sensitive files makes it a threat to organizations that may be targeted by these attacks.

Source
https://www.bleepingcomputer.com/news/security/microsoft-warns-of-surge-in-acr-stealer-attacks-on-customers/
https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/#campaign-1-webdav-based-clickfix-with-python-loaders-and-blockchain-c2