Listen to this Post
Introduction: Cybercriminals Are Turning Everyday Files into Invisible Weapons
Modern cybercriminals are no longer relying on obvious malware attachments or suspicious executable files. Instead, they are hiding dangerous payloads inside seemingly harmless images, abusing legitimate Windows utilities, and executing malware entirely in memory to evade detection. This evolution represents one of the most sophisticated trends in today’s malware landscape.
Between late April and mid-June 2026, Microsoft Defender Experts observed an advanced malware campaign distributing ACR Stealer, an information-stealing malware that focuses on browser credentials, authentication tokens, cookies, and confidential business documents. What makes this campaign particularly concerning is its combination of ClickFix social engineering, PowerShell obfuscation, steganography, and fileless malware execution, allowing attackers to remain largely invisible to traditional antivirus solutions.
The campaign demonstrates how modern attackers increasingly prioritize identity theft over ransomware. Instead of encrypting files, they quietly steal credentials, hijack authenticated sessions, and infiltrate cloud services before organizations even realize they have been compromised.
Microsoft Detects Advanced ACR Stealer Campaign
Microsoft Defender Experts tracked multiple attack chains involving ACR Stealer, malware reportedly distributed under a Malware-as-a-Service (MaaS) business model and believed to be connected to the rebranded Amatera Stealer.
Rather than exploiting software vulnerabilities directly, the attackers manipulate users into launching malicious commands themselves. This human-focused approach bypasses many traditional security controls because the victim unknowingly initiates the attack.
Successful infections allow attackers to collect:
Browser passwords
Cookies
Authentication tokens
Stored payment information
Sensitive PDF documents
Cloud authentication sessions
Once harvested, this information can be used for identity theft, corporate espionage, financial fraud, and lateral movement inside enterprise environments.
The ClickFix Social Engineering Trap
One of the most dangerous aspects of the campaign is its delivery mechanism.
Victims are redirected to fake verification pages through malicious advertisements or search engine poisoning. Instead of downloading malware directly, the fake website displays instructions asking users to copy and paste a command into the Windows Run dialog or PowerShell terminal.
Because the victim performs the action voluntarily, many endpoint security products treat the behavior as legitimate.
This technique, known as ClickFix, has rapidly become one of the most successful malware delivery strategies in recent years.
MSHTA: Abusing Legitimate Windows Components
The copied command launches mshta.exe, a legitimate Microsoft Windows utility originally designed to execute HTML Application (HTA) files.
Instead of downloading a standard executable, MSHTA retrieves malicious HTML content from attacker-controlled servers.
Inside the HTA file, embedded VBScript leverages Windows COM objects to decode hidden PowerShell commands.
Using trusted Windows components makes detection significantly harder because many organizations allow these binaries by default.
Heavy PowerShell Obfuscation Slows Security Analysis
The PowerShell stage is intentionally engineered to frustrate both security software and malware analysts.
Researchers observed several layers of obfuscation including:
Random variable names
Fake execution branches
Meaningless arithmetic calculations
Custom encryption routines
Multiple decoding stages
Rather than immediately downloading malware, the script continuously transforms itself during execution, making static analysis extremely difficult.
This type of layered obfuscation is increasingly common among modern information stealers.
Malware Hidden Inside an Innocent JPEG
Perhaps the
Instead of downloading a suspicious executable, the malware retrieves what appears to be a completely normal JPEG image hosted on a public image-sharing platform.
To users—and even many security tools—the image looks perfectly harmless.
However, hidden inside the
The PowerShell script extracts the concealed data, decrypts it, decompresses it, and immediately executes it directly in memory.
No obvious malware file is ever written to disk.
This dramatically reduces forensic evidence while helping the malware evade signature-based antivirus detection.
Reflective Memory Execution Avoids Traditional Antivirus
After decoding the hidden payload, ACR Stealer performs reflective loading entirely in memory.
Instead of relying on standard executable loading methods, it dynamically resolves Windows APIs including:
LoadLibrary()
GetProcAddress()
VirtualAlloc()
CreateThread()
These functions allocate memory, load required libraries, and execute shellcode without creating persistent files on the operating system.
Memory-only execution significantly complicates malware detection because many traditional security tools focus primarily on scanning files stored on disk.
Browser Credential Theft Becomes the Primary Objective
Once active, ACR Stealer immediately targets Chromium-based browsers such as:
Google Chrome
Microsoft Edge
Chromium-based applications
The malware accesses browser databases including:
Login Data
Web Data
Cookie storage
Session databases
Using the Windows Data Protection API (DPAPI), it decrypts stored passwords, browser cookies, and authentication tokens.
Unlike simple password theft, stolen authentication tokens may allow attackers to access cloud services without knowing user passwords.
Why Session Tokens Are More Valuable Than Passwords
Authentication tokens represent one of the most valuable digital assets attackers can steal.
Many modern web services rely on session cookies to remember authenticated users.
If an attacker steals these tokens before expiration, they may gain immediate access to:
Microsoft 365
Google Workspace
Corporate VPN portals
CRM platforms
Cloud storage
Internal enterprise dashboards
In many cases, these stolen sessions continue working even when multi-factor authentication (MFA) is enabled because the authentication has already been completed.
This makes session hijacking one of
Sensitive Business Documents Are Also Collected
ACR Stealer does not stop at browser data.
Microsoft observed the malware actively searching Desktop and Downloads folders for valuable PDF documents.
Potential targets include:
Financial reports
Contracts
Legal agreements
Internal documentation
Customer information
Project files
These files are prepared for exfiltration alongside stolen credentials, giving attackers both account access and confidential corporate information.
Known Indicators of Compromise (IOCs)
Microsoft identified several command-and-control infrastructure indicators associated with the campaign.
Known defanged domains include:
looksta[.]icu
contrite.quirksturdy[.]icu
ux.strainedeasily[.]icu
Security professionals should only re-enable (“re-fang”) these indicators within controlled threat intelligence platforms such as SIEM environments, MISP, or VirusTotal to avoid accidental communication with malicious infrastructure.
Deep Analysis
Modern information stealers have evolved beyond traditional malware. Instead of relying on executable files, ACR Stealer combines trusted Windows binaries, PowerShell abuse, steganography, reflective loading, and memory-only execution into a single attack chain. Every stage is specifically designed to reduce detection opportunities.
The campaign also reflects a broader shift within the cybercriminal ecosystem. Rather than immediately deploying ransomware, attackers increasingly focus on stealing identities first. Stolen browser sessions often provide immediate access to corporate cloud environments, allowing attackers to quietly escalate privileges before launching additional attacks.
From a defensive perspective, organizations should monitor abnormal executions of mshta.exe, powershell.exe, and unusual outbound connections to newly registered domains. Endpoint Detection and Response (EDR) solutions capable of behavioral monitoring are significantly more effective than signature-based antivirus alone against these techniques.
Useful Detection & Investigation Commands
Check suspicious MSHTA executions
Get-WinEvent -LogName Security | Select-String "mshta.exe"
Monitor PowerShell Operational Logs
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational
Identify suspicious PowerShell history
Get-Content (Get-PSReadlineOption).HistorySavePath
List running PowerShell processes
tasklist | findstr powershell
Inspect active network connections
netstat -ano
Find recently created scheduled tasks
schtasks /query /fo LIST /v
Review Windows Defender detections
Get-MpThreatDetection
Run a Defender quick scan
Start-MpScan -ScanType QuickScan
Check browser credential database locations
dir "$env:LOCALAPPDATA\Google\Chrome\User Data\Default"
Collect Windows Event Logs
wevtutil qe Security /c:50 /f:text
Organizations should also implement application control policies, disable unnecessary use of MSHTA where possible, enable PowerShell logging, deploy Attack Surface Reduction (ASR) rules, and educate users never to copy commands from websites into the Windows Run dialog or PowerShell.
What Undercode Say:
This campaign perfectly illustrates how cybercriminals continue to innovate by abusing trusted operating system components instead of relying on traditional malware delivery methods. The combination of social engineering, legitimate Windows binaries, PowerShell obfuscation, and steganography creates a layered attack that can bypass many conventional defenses.
One of the most alarming aspects is the shift toward identity-centric attacks. Passwords are no longer the only valuable target. Session cookies and authentication tokens can provide attackers with immediate access to cloud applications, often bypassing protections that organizations assume are sufficient, including multi-factor authentication.
The use of JPEG steganography demonstrates that virtually any file type can become a malware carrier when attackers are determined enough. Security teams can no longer judge files solely by their extensions or appearances. Behavioral analysis has become more important than static scanning.
Another notable trend is the extensive use of “living-off-the-land” techniques. By leveraging tools such as MSHTA, PowerShell, COM objects, and Windows APIs, attackers reduce their dependency on custom malware files, blending malicious activity into legitimate system behavior.
Organizations should also recognize the importance of endpoint telemetry. Memory-only malware leaves very few artifacts on disk, meaning incident responders must rely on process monitoring, event logs, network telemetry, and behavioral analytics rather than traditional file analysis.
From an enterprise perspective, browser security deserves far more attention than it typically receives. Browsers now store credentials, authentication cookies, API keys, financial information, and cloud sessions. Compromising a browser often provides broader access than compromising a single workstation.
Security awareness training must evolve as well. Employees have become increasingly skeptical of email attachments, but many remain unaware that simply copying a command into the Run dialog can compromise an entire organization. Training should specifically address fake verification pages, CAPTCHA scams, and ClickFix-style social engineering.
Microsoft’s observations also reinforce the need for defense-in-depth. Antivirus software alone is insufficient against advanced fileless attacks. Organizations should deploy EDR, SIEM monitoring, application control, privileged access management, and continuous threat hunting to detect subtle indicators before attackers achieve persistence.
The malware-as-a-service model behind ACR Stealer lowers the technical barrier for cybercriminals, allowing less experienced actors to deploy highly sophisticated malware. This commercialization of cybercrime means advanced attacks are no longer limited to elite threat groups.
Looking ahead, similar campaigns are likely to integrate artificial intelligence to automate phishing pages, customize social engineering content, and dynamically adjust malware behavior based on the victim’s environment. Defenders will need equally intelligent detection capabilities to keep pace with this evolution.
Ultimately, ACR Stealer serves as another reminder that cybersecurity is no longer just about preventing malware execution. It is about protecting identities, monitoring behavior, securing cloud access, and recognizing that seemingly harmless files may conceal highly sophisticated threats.
✅ Microsoft Defender Experts publicly reported observing sophisticated ACR Stealer campaigns between late April and mid-June 2026 targeting browser credentials, cookies, authentication tokens, and sensitive documents.
✅ The campaign uses legitimate Windows components such as MSHTA, PowerShell, and DPAPI alongside steganography and reflective memory execution, techniques that are widely recognized within the cybersecurity industry for evasion and credential theft.
✅ The published Indicators of Compromise (IOCs), including the listed defanged domains, align with Microsoft’s guidance to prevent accidental interaction while enabling defenders to investigate and monitor malicious infrastructure safely.
Prediction
(+1) Endpoint Detection and Response (EDR) platforms will increasingly use AI-driven behavioral analytics to identify memory-only malware, reducing attackers’ ability to hide behind legitimate Windows utilities.
(-1) Cybercriminal groups will continue expanding the use of steganography, encrypted image payloads, and living-off-the-land techniques, making future information stealers significantly more difficult for traditional antivirus products to detect.
(-1) Identity theft through stolen browser sessions and authentication tokens will likely surpass conventional password theft as the preferred method for compromising enterprise cloud environments over the coming years.
▶️ Related Video (72% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




