Microsoft Warns of Surge in ACR Stealer Attacks on Customers
Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers.
Intelligence analysis by Llama

Microsoft has seen a surge in ACR Stealer attacks, which use various methods to deliver the malware and steal sensitive data. The company recommends that organizations take steps to reduce their exposure to web-based delivery chains and implement application control rules to restrict launching content from remote resources.
Imagine someone is trying to steal your passwords and sensitive documents from your computer. They're using a special kind of malware called ACR Stealer to do it. Microsoft is warning people about this and telling them to be careful and take steps to protect themselves.
Analysis
ACR Stealer: A Malware-as-a-Service Operation
Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers. The malware is delivered through various methods, including the ClickFix social-engineering method, WebDAV servers, and the MSHTA utility.
ACR Stealer is a malware-as-a-service (MaaS) operation believed to be a rebranding of the Amatera Stealer malware. The malware is designed to steal sensitive data, including passwords, cookies, session data, and authentication tokens stored on web browsers. It also decrypts browser data through the Windows Data Protection API (DPAPI) and accesses Chromium browser databases on Chrome and Edge.
The threat actor uses a heavily obfuscated PowerShell script to launch the malware installer and establish persistence. Some variants use public blockchain services as dead-drop resolvers to obtain updated payload locations or C2 addresses.
Microsoft recommends that organizations reduce exposure to web-based delivery chains by enforcing filters, blocking low-reputation or new domains, and restricting access to online resources that are not required for business operations. Application control rules can restrict launching content from a remote resource using tools like PowerShell, Python, mshta.exe, or rundll32.exe, especially from user-writeable paths.
Mitigations and Indicators of Compromise
Microsoft's report provides a larger list of recommended mitigations along with a set of indicators of compromise specific for the observed ACR Stealer activity. These include reducing exposure to web-based delivery chains, enforcing filters, blocking low-reputation or new domains, and restricting access to online resources that are not required for business operations.
Conclusion
The ACR Stealer attacks are a reminder of the ongoing threat of malware-as-a-service operations and the importance of robust security measures to protect against these types of attacks. Organizations must take steps to reduce their exposure to web-based delivery chains and implement application control rules to restrict launching content from remote resources.
Key points
- Microsoft has observed a surge in ACR Stealer attacks
- The malware is delivered through various methods, including ClickFix, WebDAV servers, and MSHTA
- ACR Stealer is a malware-as-a-service operation believed to be a rebranding of the Amatera Stealer malware
- The malware steals sensitive data, including passwords, cookies, session data, and authentication tokens
- Microsoft recommends that organizations take steps to reduce their exposure to web-based delivery chains
If organizations take the necessary steps to reduce their exposure to web-based delivery chains and implement application control rules, they can significantly reduce the risk of ACR Stealer attacks. This includes enforcing filters, blocking low-reputation or new domains, and restricting access to online resources that are not required for business operations.
If organizations fail to take the necessary steps to protect themselves, they may be vulnerable to ACR Stealer attacks. This could result in the theft of sensitive data, including passwords, cookies, session data, and authentication tokens.



