Advertisement
Cyber Crime

ACR Stealer Escalates Enterprise Threats

A sophisticated malware-as-a-service campaign is leveraging social engineering and WebDAV to compromise enterprise environments.

··3 hours ago·2 min read
black and red steering wheel
Photo by FlyD on Unsplash
Advertisement

A surge in malicious activity targeting corporate systems has brought the ACR Stealer to the forefront of cybersecurity concerns. By weaponizing trusted Windows utilities, threat actors are systematically exfiltrating highly sensitive credentials and corporate documents from unsuspecting enterprise users.

Tactical Evolution in Malware Delivery

Between late April and mid-June, researchers identified a sharp rise in campaigns utilizing the ClickFix social-engineering framework. These attacks rely on convincing victims to execute commands under the guise of system repairs or verification processes, effectively bypassing traditional user skepticism. The attackers demonstrate high levels of sophistication by employing WebDAV servers and the MSHTA utility to bridge the gap between initial lures and final payload delivery.

By utilizing GUID-based directory structures, these actors successfully masquerade as legitimate network traffic, making detection significantly more difficult for standard security monitoring tools. The operational shift towards malware-as-a-service (MaaS) models suggests a broader rebrand of the existing Amatera Stealer, indicating that the threat landscape is becoming increasingly professionalized and modular.

Technical Precision and Data Exfiltration

The operational maturity of this campaign is evident in its multi-stage execution chain. Once the PowerShell scripts establish persistence, the malware goes to great lengths to mask its presence, including manipulating system timestamps and clearing command history to impede forensic analysis. The following data points highlight the scope and methods observed by defenders:

  • The threat actor utilized a combination of ClickFix, WebDAV, and MSHTA as the primary delivery vectors.
  • Attackers are actively targeting sensitive browser data, including passwords, cookies, and authentication tokens, through the Windows Data Protection API (DPAPI).
  • Some variants employ a technique known as EtherHiding, leveraging public blockchain services to dynamically update command-and-control infrastructure.
  • The malware specifically targets high-value enterprise data, including OneDrive and SharePoint directory structures.

“These two campaigns represent some of the most prevalent ACR Stealer delivery campaigns observed by Defender Experts; however, they do not represent the full range of delivery methods used by this malware family,”

— Microsoft, as reported in their recent threat analysis.

The Critical Role of Mitigation

For security teams, the primary takeaway is the necessity of strict application control. Because these attacks often abuse native binaries like rundll32.exe and PowerShell, organizations must implement policies that prevent these tools from executing content retrieved from untrusted, remote, or user-writeable paths. The use of Test every layer before attackers do becomes essential as attackers continue to pivot away from static file signatures.

The consequences for organizations that fail to monitor these lateral movement channels are severe. Beyond simple credential theft, the ability of ACR Stealer to access synchronized cloud storage means that a single successful compromise can result in the mass exfiltration of sensitive corporate documents. Moving forward, the industry must emphasize the importance of blocking connections to low-reputation domains and restricting the use of remote execution utilities that remain the lifeblood of these modern intrusion chains.

#malware#acr stealer#enterprise security#infostealer#microsoft

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement