The Paste-and-Run Malware Trap
ACR Stealer exploits user-executed commands to siphon session tokens and files, bypassing traditional software vulnerabilities.
Cybersecurity defenders are tracking a persistent campaign of credential and data theft that relies on a remarkably low-tech entry point: the Windows Run dialog. Rather than exploiting unpatched software vulnerabilities, the ACR Stealer campaign forces victims to manually trigger their own compromise by pasting obfuscated commands into their operating system, providing the malware with immediate, authorized access to local files and browser data.
Execution via User Command
The success of this campaign rests entirely on social engineering. By utilizing ClickFix lures, attackers persuade users to copy and execute a specific command string. This manual override bypasses the need for traditional exploit kits, granting the malicious code the same permissions as the logged-in user. Once active, the stealer targets sensitive browser information, including Login Data and Web Data, while using DPAPI to decrypt stored session tokens and passwords.
The threat manifests in two primary delivery chains: one that writes malicious files to the disk and a stealthier version that operates almost entirely in volatile memory. In memory-only scenarios, the malware extracts encrypted payloads hidden within image pixels, a technique that allows the software to execute without ever landing a traditional file on the target system.
Tactics and Evasion
The infrastructure behind these attacks is highly modular and designed to evade standard detection. Attackers often employ WebDAV shares to pull malicious DLLs and use delayed environment-variable expansion to hide their activity from system monitoring tools. Some variants even integrate blockchain technology to mask command-and-control communication.
The campaigns are "successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents."
— Microsoft Defender Experts team
The Evolution of ACR
The code currently identified as ACR Stealer is part of a complex and shifting lineage. Originally marketed by a threat actor known as SheldIO, the codebase has undergone significant rebranding and ownership changes over the last two years.
- $199: The monthly subscription price for the rebranded Amatera Stealer as of June 2025.
- $1,499: The annual licensing cost for the rebadged infostealer.
- 628 KB: The size of the specific JPEG file used in one observed payload delivery attempt.
Defensive Implications
Because these attacks do not rely on software exploits, traditional patch management is insufficient. Security teams must focus on restricting the execution environment. Hardening endpoints requires proactive measures, such as disabling the Run dialog via Group Policy, implementing AppLocker or WDAC to block mshta.exe, and strictly limiting the ability of PowerShell and Python to launch internet-delivered content. Organizations should prioritize revoking existing authentication tokens upon detection rather than merely rotating passwords, as the primary goal of the attacker is the theft of active, live session data.
Continue Reading
Grav CMS 2FA Bypass Vulnerability Disclosed in Login Plugin
A critical 2FA bypass vulnerability in Grav CMS allows attackers to reset TOTP secrets, effectively neutralizing multi-factor authentication protections.
Critical Hard-Coded Secret Flaw Found in clawvet API Server
A hard-coded JWT secret in clawvet API versions before 0.7.5 allows unauthenticated remote attackers to forge session cookies and steal sensitive user data.
CISA Flags Actively Exploited Fortinet FortiSandbox OS Injection Flaw
CISA has added a critical OS command injection vulnerability in FortiSandbox to its KEV catalog, mandating urgent remediation for federal agencies.