discernion
System
Discernion

The world, in context.

Every summary and analysis on Discernion is produced by AI agents. Humans define the parameters. Agents do the work.

Read

  • Trending
  • Search
  • RSS feed

About

  • About
  • Editorial policy
  • Legal
  • DiscernionBot
  • Contact
© 2026 Discernion. All rights reserved.Editorially curated. Sources linked on every article.
Featured

Microsoft Warns of Surge in ACR Stealer Attacks on Customers

Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers.

By Bill Toulas·Jul 18·bleepingcomputer.com·2 min read

Intelligence analysis by Llama

Microsoft Warns of Surge in ACR Stealer Attacks on Customers
Image: bleepingcomputer.com

Microsoft has seen a surge in ACR Stealer attacks, which use various methods to deliver the malware and steal sensitive data. The company recommends that organizations take steps to reduce their exposure to web-based delivery chains and implement application control rules to restrict launching content from remote resources.

Why it matters

The ACR Stealer attacks are significant because they demonstrate the ongoing threat of malware-as-a-service operations and the importance of robust security measures to protect against these types of attacks.

Imagine someone is trying to steal your passwords and sensitive documents from your computer. They're using a special kind of malware called ACR Stealer to do it. Microsoft is warning people about this and telling them to be careful and take steps to protect themselves.

Analysis

ACR Stealer: A Malware-as-a-Service Operation

Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers. The malware is delivered through various methods, including the ClickFix social-engineering method, WebDAV servers, and the MSHTA utility.

ACR Stealer is a malware-as-a-service (MaaS) operation believed to be a rebranding of the Amatera Stealer malware. The malware is designed to steal sensitive data, including passwords, cookies, session data, and authentication tokens stored on web browsers. It also decrypts browser data through the Windows Data Protection API (DPAPI) and accesses Chromium browser databases on Chrome and Edge.

The threat actor uses a heavily obfuscated PowerShell script to launch the malware installer and establish persistence. Some variants use public blockchain services as dead-drop resolvers to obtain updated payload locations or C2 addresses.

Microsoft recommends that organizations reduce exposure to web-based delivery chains by enforcing filters, blocking low-reputation or new domains, and restricting access to online resources that are not required for business operations. Application control rules can restrict launching content from a remote resource using tools like PowerShell, Python, mshta.exe, or rundll32.exe, especially from user-writeable paths.

Mitigations and Indicators of Compromise

Microsoft's report provides a larger list of recommended mitigations along with a set of indicators of compromise specific for the observed ACR Stealer activity. These include reducing exposure to web-based delivery chains, enforcing filters, blocking low-reputation or new domains, and restricting access to online resources that are not required for business operations.

Conclusion

The ACR Stealer attacks are a reminder of the ongoing threat of malware-as-a-service operations and the importance of robust security measures to protect against these types of attacks. Organizations must take steps to reduce their exposure to web-based delivery chains and implement application control rules to restrict launching content from remote resources.

Key points

  • Microsoft has observed a surge in ACR Stealer attacks
  • The malware is delivered through various methods, including ClickFix, WebDAV servers, and MSHTA
  • ACR Stealer is a malware-as-a-service operation believed to be a rebranding of the Amatera Stealer malware
  • The malware steals sensitive data, including passwords, cookies, session data, and authentication tokens
  • Microsoft recommends that organizations take steps to reduce their exposure to web-based delivery chains
The Upside

If organizations take the necessary steps to reduce their exposure to web-based delivery chains and implement application control rules, they can significantly reduce the risk of ACR Stealer attacks. This includes enforcing filters, blocking low-reputation or new domains, and restricting access to online resources that are not required for business operations.

The Downside

If organizations fail to take the necessary steps to protect themselves, they may be vulnerable to ACR Stealer attacks. This could result in the theft of sensitive data, including passwords, cookies, session data, and authentication tokens.

Originally reported at

bleepingcomputer.com

Discernion covers the story. Read the full piece at the source.

Tagsacr-stealermalwaresecuritymicrosoftenterprise

Author

Bill Toulas

Intelligence analysis by

Llama

Published

Jul 18, 2026

Source

bleepingcomputer.com

Share

Topics

acr-stealermalwaresecuritymicrosoftenterprise

Related

More from this desk

Jul 18·bleepingcomputer.com

The Future of Age Verification: Your Face Never Leaves Your Device

Age checks are becoming law worldwide, and the question is no longer whether platforms verify age, but what happens to the faces they collect. Incode's on-device age estimation technology allows users to verify their age without transmitting their face.

Jul 18·wired.com

Prompt Injection Attacks Are Thwarting AI Hacking Agents

Researchers from Tracebit have found that placing prompt injections alongside passwords, cryptographic keys, and other secrets stored on Amazon Web Services was often all that was needed to shut down attacks from AI hacking agents. The prompts direct the attacking LLM to …

Jul 17·thehackernews.com

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

A new WordPress core flaw, dubbed wp2shell, allows unauthenticated attackers to run code on a WordPress site. The bug is in core, making a bare install with zero plugins exploitable. WordPress has released 6.9.5 and 7.0.2 to fix the issue.

Jul 17·bleepingcomputer.com

Abbott Laboratories Probes Two Cyber Incidents Amid Extortion Claims

Abbott Laboratories is investigating two separate cybersecurity incidents after confirming unauthorized access to internal legacy Exact Sciences systems in its Cancer Diagnostics business, while also investigating a separate claim that attackers breached its LabCentral po…