Microsoft has warned of a surge in attacks deploying ACR Stealer, a malware-as-a-service info-stealer believed to be a rebrand of the Amatera Stealer, against its enterprise customers. In a report published this week, the company said the activity ran from late April through mid-June and relied heavily on the ClickFix social-engineering technique combined with WebDAV servers and the MSHTA utility to deliver payloads.

Two Prevalent Delivery Chains

Microsoft’s Defender Experts identified two intrusion chains as the most common. The first starts with a ClickFix lure that tricks a user into running a command via rundll32.exe, pulling a malicious DLL from a remote WebDAV share. Attackers used GUID-based directory structures and filenames mimicking legitimate resources to blend in with normal network traffic. Once C2 communication is established, a heavily obfuscated PowerShell script installs a bundled Python loader, sets up a scheduled task disguised as a software update, tampers with timestamps, clears PowerShell history, and injects the final payload into a system process for in-memory execution. Some variants use public blockchain services as dead-drop resolvers for C2 addresses, a technique known as EtherHiding.

The second chain also begins with ClickFix but launches MSHTA to fetch malicious content from an attacker-controlled server, which runs an obfuscated PowerShell downloader. That downloader extracts an encrypted payload hidden inside a publicly hosted steganographic JPEG image and executes it directly in memory.

Data Targeted

Regardless of delivery method, the goal is consistent: stealing passwords, cookies, session data, and authentication tokens from browsers, decrypting protected data via the Windows DPAPI, and accessing Chromium-based browser databases in Chrome and Edge. The malware also searches for PDFs and Microsoft 365 documents, harvests files from Desktop and Downloads folders, and targets enterprise-synced OneDrive and SharePoint directories before archiving everything for exfiltration.

Microsoft noted these two chains represent only the most prevalent ACR Stealer campaigns observed and that additional delivery methods likely exist.

Mitigations

Microsoft recommends organizations train users to avoid copying and executing instructions from prompts claiming to fix errors or verify human status, a hallmark of ClickFix attacks. Additional recommendations include enforcing web filters, blocking low-reputation or newly registered domains, restricting access to non-business web resources, and applying application control policies that prevent PowerShell, Python, mshta.exe, and rundll32.exe from launching content from user-writeable or remote paths. Microsoft’s full report includes further mitigation guidance and indicators of compromise tied to the observed activity.