Advertisement
Security

The Paste-and-Run Malware Trap

ACR Stealer exploits user-executed commands to siphon session tokens and files, bypassing traditional software vulnerabilities.

··2 hours ago·2 min read
green and black stripe textile
Photo by Markus Spiske on Unsplash
Advertisement

Cybersecurity defenders are tracking a persistent campaign of credential and data theft that relies on a remarkably low-tech entry point: the Windows Run dialog. Rather than exploiting unpatched software vulnerabilities, the ACR Stealer campaign forces victims to manually trigger their own compromise by pasting obfuscated commands into their operating system, providing the malware with immediate, authorized access to local files and browser data.

Execution via User Command

The success of this campaign rests entirely on social engineering. By utilizing ClickFix lures, attackers persuade users to copy and execute a specific command string. This manual override bypasses the need for traditional exploit kits, granting the malicious code the same permissions as the logged-in user. Once active, the stealer targets sensitive browser information, including Login Data and Web Data, while using DPAPI to decrypt stored session tokens and passwords.

The threat manifests in two primary delivery chains: one that writes malicious files to the disk and a stealthier version that operates almost entirely in volatile memory. In memory-only scenarios, the malware extracts encrypted payloads hidden within image pixels, a technique that allows the software to execute without ever landing a traditional file on the target system.

Tactics and Evasion

The infrastructure behind these attacks is highly modular and designed to evade standard detection. Attackers often employ WebDAV shares to pull malicious DLLs and use delayed environment-variable expansion to hide their activity from system monitoring tools. Some variants even integrate blockchain technology to mask command-and-control communication.

The campaigns are "successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents."

— Microsoft Defender Experts team

The Evolution of ACR

The code currently identified as ACR Stealer is part of a complex and shifting lineage. Originally marketed by a threat actor known as SheldIO, the codebase has undergone significant rebranding and ownership changes over the last two years.

  • $199: The monthly subscription price for the rebranded Amatera Stealer as of June 2025.
  • $1,499: The annual licensing cost for the rebadged infostealer.
  • 628 KB: The size of the specific JPEG file used in one observed payload delivery attempt.

Defensive Implications

Because these attacks do not rely on software exploits, traditional patch management is insufficient. Security teams must focus on restricting the execution environment. Hardening endpoints requires proactive measures, such as disabling the Run dialog via Group Policy, implementing AppLocker or WDAC to block mshta.exe, and strictly limiting the ability of PowerShell and Python to launch internet-delivered content. Organizations should prioritize revoking existing authentication tokens upon detection rather than merely rotating passwords, as the primary goal of the attacker is the theft of active, live session data.

#acr stealer#infostealer#social engineering#credential theft#windows security

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement