Key Takeaways
- ACR Stealer (also seen as Amatera Stealer) is an infostealer that exfiltrates browser passwords, session tokens, PDFs, Office documents, and OneDrive/SharePoint files.
- Infection begins when a user pastes a malicious command into the Windows Run dialog and presses Enter; no software vulnerability is exploited.
- Two primary delivery chains are observed: a fileless chain that hides payloads in JPEG pixels and runs largely in memory, and a disk‑based chain that downloads a DLL via WebDAV, establishes persistence through scheduled tasks, and uses timestomping to evade detection.
- Both chains rely on legitimate Windows utilities (mshta.exe, rundll32.exe, PowerShell, Python) and abuse trusted services such as image‑hosting sites (ImgBB) and WebDAV shares.
- Microsoft’s Defender Experts recommend revoking authentication tokens in addition to rotating passwords, because stolen session tokens remain usable after password changes.
- Defensive measures include removing or restricting the Run prompt, applying application‑control/AppLocker rules to block mshta, rundll32, PowerShell, and Python from loading internet content, hunting for anomalous rundll32.exe activity, and monitoring for scheduled tasks masquerading as updates.
- The stealer’s infrastructure is fluid: domains rotate, and threat‑actor attribution remains unclear, though the malware traces back to a Russian‑speaking actor “SheldIO” and has been rebranded as Amatera Stealer.
- Continuous monitoring, user‑training to avoid paste‑and‑run tricks, and token‑revocation procedures are essential to mitigate this threat.
Overview of ACR Stealer’s Activity
Since its first appearance in 2024, ACR Stealer has been observed siphoning a wide range of sensitive data from compromised Windows environments. The malware harvests saved credentials from Chrome and Edge browsers, extracts live session tokens, and lifts PDFs, Microsoft 365 documents, and files stored in synced OneDrive and SharePoint folders. Microsoft’s Defender Experts team noted a steady rise in ACR Stealer detections from late April to mid‑June 2024, attributing the increase to successful “ClickFix” lures that trick users into executing a malicious command. Notably, the actor does not rely on any unpatched software flaw; every stage of the attack proceeds only after a user voluntarily pastes and runs the supplied text.
How the Attack Begins: The Paste‑and‑Run Vector
The initial foothold is created when a victim copies a command string—often delivered via malvertising, SEO‑poisoned search results, or fake support pages—and pastes it into the Windows Run dialog (Win + R). Pressing Enter triggers the execution chain. Because the command is executed under the logged‑in user’s security context, the malware inherits all of the user’s privileges and can access personal data, network drives, and cloud‑synced folders without needing to escalate privileges. This reliance on user interaction means that traditional patching does not block the attack; mitigation must focus on preventing the paste‑and‑run behavior itself.
Fileless Chain: Payload Hidden in JPEG Pixels
One of the two observed delivery chains operates almost entirely in memory, leaving minimal forensic artifacts. The pasted command launches mshta.exe, which fetches a remote HTML Application (HTA) file. Embedded VBScript within the HTA uses COM objects to decode and invoke a PowerShell stage. This PowerShell component generates a unique victim ID, disables certificate validation, and then retrieves a JPEG image from an external hosting service (e.g., ImgBB). Custom routines carved into the PowerShell script extract the malicious payload concealed in the image’s pixel data, decrypt and decompress it, and execute it reflectively—meaning the code runs directly in memory without touching disk.
Once active, the stealer targets the Login Data and Web Data SQLite databases of Chrome and Edge, invoking the Windows DPAPI to decrypt stored passwords, cookies, and authentication tokens. It also scans the user’s Desktop and Downloads folders for PDFs and Office documents, exfiltrating them alongside the harvested credentials. Because the payload never writes a persistent file to disk (aside from temporary memory buffers), conventional antivirus scans that focus on file‑based signatures often miss this chain.
Disk‑Based Chain: Persistence via WebDAV and Scheduled Tasks
The second chain leaves more tangible traces on the victim’s system. The initial Run command invokes rundll32.exe to load a DLL directly from a WebDAV share over HTTPS. The share path uses a GUID‑named directory and a benign‑sounding filename (e.g., google.ct) to evade casual inspection. Some variants first employ pushd to mount the remote share as a temporary drive, then execute the DLL through what appears to be a local path. To further conceal activity, the attack may wrap the call in conhost.exe --headless, suppressing any console window, and obfuscate strings such as pushd, rundll32, and the remote host using delayed environment‑variable expansion.
After the DLL is loaded, it drops an obfuscated PowerShell script that creates a ZIP archive in a folder under %LocalAppData%\Temp (often given an innocuous name like LogiOptionsPlus). A bundled pythonw.exe then runs the embedded Python script, performing the installation silently—no window flashes on screen. The installer removes any older versions of itself, effectively acting as an updater. Persistence is achieved through a hidden scheduled task masquerading as a routine software update; the task copies timestamps from notepad.exe onto its own files (timestomping) and clears PowerShell history to hinder forensic analysis. The final stage of the payload resides in memory, invoking the Windows Fiber API to hand off execution without creating additional processes.
In a subset of infections, a secondary Python loader contacts public blockchain RPC endpoints or Web3 node infrastructure—a technique dubbed EtherHiding—to retrieve a payload or command‑and‑control (C2) address directly from a smart contract, thereby removing any attacker‑controlled domain that could be seized or sinkholed.
Lure Techniques and Observed Campaigns
The malicious instructions that users paste are typically delivered via deceptive web pages. One documented example, reported by SANS Internet Storm Center handler Brad Duncan on May 26, involved a page impersonating Anthropic’s Claude AI assistant. Accessed through malicious Google ads and often hidden behind sites.google.com subdomains, the page displayed Windows‑specific instructions when opened on a PC and macOS instructions when opened on a Mac. Although Microsoft’s report does not name the lure explicitly, it references two indicators—creativecommunityinfo[.]art and enhanceblabber[.]cc—that match the infrastructure seen in Duncan’s analysis.
Red Canary had previously observed similar Claude‑branded lures in April 2024, distributing ACR Stealer through fake Claude Code pages hosted on GitLab (e.g., claude-desktop[.]gitlab[.]io). Other lure variants include fake CAPTCHA pages and counterfeit software update prompts, all designed to convince the user that the copied command is legitimate.
Attribution and Evolution of the Malware Family
Microsoft refrains from assigning a specific threat actor to ACR Stealer, linking the activity to the malware family based on observed behavior, code reuse, and infrastructure patterns. The stealer was initially marketed on Russian‑speaking underground forums by an actor known as SheldIO, who ceased sales in July 2024. After the shutdown, conflicting reports emerged: eSentire claimed the source code was sold to another group, whereas Proofpoint noted that the same Telegram channel announced the shutdown rather than a farewell, and a new panel called Amatera appeared five months later.
By June 2025, Proofpoint reported that ACR Stealer had been substantially updated and rebranded as Amatera Stealer, with subscription pricing ranging from $199 per month to $1,499 per year. Red Canary treats ACR and Amatera as a single evolving lineage and considers ACR to be a refined version of the earlier GrMsk stealer. Consequently, detections labeled “ACR Stealer” in mid‑2026 may actually represent the Amatera codebase or a further variant, indicating that the malware continues to evolve while retaining its core capabilities.
Detection, Mitigation, and Defensive Recommendations
Because both infection chains require the user to paste and run a command, the most effective upstream control is to eliminate or restrict the Run dialog. Organizations can enforce this via Group Policy, removing access to Win + R for standard users, or by applying AppLocker/Windows Defender Application Control (WDAC) rules to block the execution of mshta.exe, rundll32.exe, PowerShell, and Python from locations such as Downloads, %Temp%, and %LocalAppData%.
Additional hunting opportunities include:
- Monitoring for rundll32.exe processes launched without obvious command‑line arguments while making outbound network connections.
- Detecting scheduled tasks with names resembling legitimate software updates, especially those that employ timestomping (copying file timestamps from benign executables).
- Looking for PowerShell history clearing events or attempts to disable transcript logging.
- Identifying outbound HTTP/S requests to image‑hosting services (ImgBB, etc.) or to WebDAV shares that are not part of normal business traffic.
Microsoft’s Defender XDR release accompanying the report includes three hunting queries and a list of 16 observed campaign domains; however, defenders should treat these as representative samples, as threat actors frequently rotate infrastructure.
On a suspected compromised host, incident responders should isolate the machine, revoke any active authentication tokens (not merely rotate passwords), and reset credentials for all affected services. Reviewing outbound connections to remote shares and image hosts can help uncover exfiltration attempts, while checking for the presence of the scheduled task or the WebDAV‑mounted DLL can confirm persistence.
Conclusion
ACR Stealer exemplifies how modern infostealers can achieve significant damage without exploiting software vulnerabilities, instead relying on social engineering that convinces users to execute a seemingly innocuous command. Its dual‑chain approach—one fileless and pixel‑based, the other leaving artifacts on disk—demonstrates a sophisticated effort to evade detection while harvesting a broad swath of sensitive data. Effective defense therefore hinges on user education (discouraging paste‑and‑run behavior), strict application controls, vigilant monitoring for anomalous use of legitimate Windows utilities, and rapid token revocation when an infection is suspected. By addressing both the human and technical layers of the attack, organizations can reduce the likelihood that ACR Stealer—or its successor Amatera—walks away with their credentials and confidential files.

