Hidden Inside a Simple JPEG: How ACR Stealer Uses Steganography to Bypass Security and Steal Your Digital Identity + Video

Listen to this Post

Featured ImageIntroduction: Cybercriminals Are Turning Everyday Files into Invisible Weapons

Modern cybercriminals are no longer relying on obvious malware attachments or suspicious executable files. Instead, they are hiding dangerous payloads inside seemingly harmless images, abusing legitimate Windows utilities, and executing malware entirely in memory to evade detection. This evolution represents one of the most sophisticated trends in today’s malware landscape.

Between late April and mid-June 2026, Microsoft Defender Experts observed an advanced malware campaign distributing ACR Stealer, an information-stealing malware that focuses on browser credentials, authentication tokens, cookies, and confidential business documents. What makes this campaign particularly concerning is its combination of ClickFix social engineering, PowerShell obfuscation, steganography, and fileless malware execution, allowing attackers to remain largely invisible to traditional antivirus solutions.

The campaign demonstrates how modern attackers increasingly prioritize identity theft over ransomware. Instead of encrypting files, they quietly steal credentials, hijack authenticated sessions, and infiltrate cloud services before organizations even realize they have been compromised.

Microsoft Detects Advanced ACR Stealer Campaign

Microsoft Defender Experts tracked multiple attack chains involving ACR Stealer, malware reportedly distributed under a Malware-as-a-Service (MaaS) business model and believed to be connected to the rebranded Amatera Stealer.

Rather than exploiting software vulnerabilities directly, the attackers manipulate users into launching malicious commands themselves. This human-focused approach bypasses many traditional security controls because the victim unknowingly initiates the attack.

Successful infections allow attackers to collect:

Browser passwords

Cookies

Authentication tokens

Stored payment information

Sensitive PDF documents

Cloud authentication sessions

Once harvested, this information can be used for identity theft, corporate espionage, financial fraud, and lateral movement inside enterprise environments.

The ClickFix Social Engineering Trap

One of the most dangerous aspects of the campaign is its delivery mechanism.

Victims are redirected to fake verification pages through malicious advertisements or search engine poisoning. Instead of downloading malware directly, the fake website displays instructions asking users to copy and paste a command into the Windows Run dialog or PowerShell terminal.

Because the victim performs the action voluntarily, many endpoint security products treat the behavior as legitimate.

This technique, known as ClickFix, has rapidly become one of the most successful malware delivery strategies in recent years.

MSHTA: Abusing Legitimate Windows Components

The copied command launches mshta.exe, a legitimate Microsoft Windows utility originally designed to execute HTML Application (HTA) files.

Instead of downloading a standard executable, MSHTA retrieves malicious HTML content from attacker-controlled servers.

Inside the HTA file, embedded VBScript leverages Windows COM objects to decode hidden PowerShell commands.

Using trusted Windows components makes detection significantly harder because many organizations allow these binaries by default.

Heavy PowerShell Obfuscation Slows Security Analysis

The PowerShell stage is intentionally engineered to frustrate both security software and malware analysts.

Researchers observed several layers of obfuscation including:

Random variable names

Fake execution branches

Meaningless arithmetic calculations

Custom encryption routines

Multiple decoding stages

Rather than immediately downloading malware, the script continuously transforms itself during execution, making static analysis extremely difficult.

This type of layered obfuscation is increasingly common among modern information stealers.

Malware Hidden Inside an Innocent JPEG

Perhaps the

Instead of downloading a suspicious executable, the malware retrieves what appears to be a completely normal JPEG image hosted on a public image-sharing platform.

To users—and even many security tools—the image looks perfectly harmless.

However, hidden inside the

The PowerShell script extracts the concealed data, decrypts it, decompresses it, and immediately executes it directly in memory.

No obvious malware file is ever written to disk.

This dramatically reduces forensic evidence while helping the malware evade signature-based antivirus detection.

Reflective Memory Execution Avoids Traditional Antivirus

After decoding the hidden payload, ACR Stealer performs reflective loading entirely in memory.

Instead of relying on standard executable loading methods, it dynamically resolves Windows APIs including:

LoadLibrary()
GetProcAddress()
VirtualAlloc()
CreateThread()

These functions allocate memory, load required libraries, and execute shellcode without creating persistent files on the operating system.

Memory-only execution significantly complicates malware detection because many traditional security tools focus primarily on scanning files stored on disk.

Browser Credential Theft Becomes the Primary Objective

Once active, ACR Stealer immediately targets Chromium-based browsers such as:

Google Chrome

Microsoft Edge

Chromium-based applications

The malware accesses browser databases including:

Login Data

Web Data

Cookie storage

Session databases

Using the Windows Data Protection API (DPAPI), it decrypts stored passwords, browser cookies, and authentication tokens.

Unlike simple password theft, stolen authentication tokens may allow attackers to access cloud services without knowing user passwords.

Why Session Tokens Are More Valuable Than Passwords

Authentication tokens represent one of the most valuable digital assets attackers can steal.

Many modern web services rely on session cookies to remember authenticated users.

If an attacker steals these tokens before expiration, they may gain immediate access to:

Microsoft 365

Google Workspace

Corporate VPN portals

CRM platforms

Cloud storage

Internal enterprise dashboards

In many cases, these stolen sessions continue working even when multi-factor authentication (MFA) is enabled because the authentication has already been completed.

This makes session hijacking one of

Sensitive Business Documents Are Also Collected

ACR Stealer does not stop at browser data.

Microsoft observed the malware actively searching Desktop and Downloads folders for valuable PDF documents.

Potential targets include:

Financial reports

Contracts

Legal agreements

Internal documentation

Customer information

Project files

These files are prepared for exfiltration alongside stolen credentials, giving attackers both account access and confidential corporate information.

Known Indicators of Compromise (IOCs)

Microsoft identified several command-and-control infrastructure indicators associated with the campaign.

Known defanged domains include:

looksta[.]icu

contrite.quirksturdy[.]icu

ux.strainedeasily[.]icu

Security professionals should only re-enable (“re-fang”) these indicators within controlled threat intelligence platforms such as SIEM environments, MISP, or VirusTotal to avoid accidental communication with malicious infrastructure.

Deep Analysis

Modern information stealers have evolved beyond traditional malware. Instead of relying on executable files, ACR Stealer combines trusted Windows binaries, PowerShell abuse, steganography, reflective loading, and memory-only execution into a single attack chain. Every stage is specifically designed to reduce detection opportunities.

The campaign also reflects a broader shift within the cybercriminal ecosystem. Rather than immediately deploying ransomware, attackers increasingly focus on stealing identities first. Stolen browser sessions often provide immediate access to corporate cloud environments, allowing attackers to quietly escalate privileges before launching additional attacks.

From a defensive perspective, organizations should monitor abnormal executions of mshta.exe, powershell.exe, and unusual outbound connections to newly registered domains. Endpoint Detection and Response (EDR) solutions capable of behavioral monitoring are significantly more effective than signature-based antivirus alone against these techniques.

Useful Detection & Investigation Commands

Check suspicious MSHTA executions

Get-WinEvent -LogName Security | Select-String "mshta.exe"

Monitor PowerShell Operational Logs

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational

Identify suspicious PowerShell history

Get-Content (Get-PSReadlineOption).HistorySavePath

List running PowerShell processes

tasklist | findstr powershell

Inspect active network connections

netstat -ano

Find recently created scheduled tasks

schtasks /query /fo LIST /v

Review Windows Defender detections

Get-MpThreatDetection

Run a Defender quick scan

Start-MpScan -ScanType QuickScan

Check browser credential database locations

dir "$env:LOCALAPPDATA\Google\Chrome\User Data\Default"

Collect Windows Event Logs

wevtutil qe Security /c:50 /f:text

Organizations should also implement application control policies, disable unnecessary use of MSHTA where possible, enable PowerShell logging, deploy Attack Surface Reduction (ASR) rules, and educate users never to copy commands from websites into the Windows Run dialog or PowerShell.

What Undercode Say:

This campaign perfectly illustrates how cybercriminals continue to innovate by abusing trusted operating system components instead of relying on traditional malware delivery methods. The combination of social engineering, legitimate Windows binaries, PowerShell obfuscation, and steganography creates a layered attack that can bypass many conventional defenses.

One of the most alarming aspects is the shift toward identity-centric attacks. Passwords are no longer the only valuable target. Session cookies and authentication tokens can provide attackers with immediate access to cloud applications, often bypassing protections that organizations assume are sufficient, including multi-factor authentication.

The use of JPEG steganography demonstrates that virtually any file type can become a malware carrier when attackers are determined enough. Security teams can no longer judge files solely by their extensions or appearances. Behavioral analysis has become more important than static scanning.

Another notable trend is the extensive use of “living-off-the-land” techniques. By leveraging tools such as MSHTA, PowerShell, COM objects, and Windows APIs, attackers reduce their dependency on custom malware files, blending malicious activity into legitimate system behavior.

Organizations should also recognize the importance of endpoint telemetry. Memory-only malware leaves very few artifacts on disk, meaning incident responders must rely on process monitoring, event logs, network telemetry, and behavioral analytics rather than traditional file analysis.

From an enterprise perspective, browser security deserves far more attention than it typically receives. Browsers now store credentials, authentication cookies, API keys, financial information, and cloud sessions. Compromising a browser often provides broader access than compromising a single workstation.

Security awareness training must evolve as well. Employees have become increasingly skeptical of email attachments, but many remain unaware that simply copying a command into the Run dialog can compromise an entire organization. Training should specifically address fake verification pages, CAPTCHA scams, and ClickFix-style social engineering.

Microsoft’s observations also reinforce the need for defense-in-depth. Antivirus software alone is insufficient against advanced fileless attacks. Organizations should deploy EDR, SIEM monitoring, application control, privileged access management, and continuous threat hunting to detect subtle indicators before attackers achieve persistence.

The malware-as-a-service model behind ACR Stealer lowers the technical barrier for cybercriminals, allowing less experienced actors to deploy highly sophisticated malware. This commercialization of cybercrime means advanced attacks are no longer limited to elite threat groups.

Looking ahead, similar campaigns are likely to integrate artificial intelligence to automate phishing pages, customize social engineering content, and dynamically adjust malware behavior based on the victim’s environment. Defenders will need equally intelligent detection capabilities to keep pace with this evolution.

Ultimately, ACR Stealer serves as another reminder that cybersecurity is no longer just about preventing malware execution. It is about protecting identities, monitoring behavior, securing cloud access, and recognizing that seemingly harmless files may conceal highly sophisticated threats.

✅ Microsoft Defender Experts publicly reported observing sophisticated ACR Stealer campaigns between late April and mid-June 2026 targeting browser credentials, cookies, authentication tokens, and sensitive documents.

✅ The campaign uses legitimate Windows components such as MSHTA, PowerShell, and DPAPI alongside steganography and reflective memory execution, techniques that are widely recognized within the cybersecurity industry for evasion and credential theft.

✅ The published Indicators of Compromise (IOCs), including the listed defanged domains, align with Microsoft’s guidance to prevent accidental interaction while enabling defenders to investigate and monitor malicious infrastructure safely.

Prediction

(+1) Endpoint Detection and Response (EDR) platforms will increasingly use AI-driven behavioral analytics to identify memory-only malware, reducing attackers’ ability to hide behind legitimate Windows utilities.

(-1) Cybercriminal groups will continue expanding the use of steganography, encrypted image payloads, and living-off-the-land techniques, making future information stealers significantly more difficult for traditional antivirus products to detect.

(-1) Identity theft through stolen browser sessions and authentication tokens will likely surpass conventional password theft as the preferred method for compromising enterprise cloud environments over the coming years.

▶️ Related Video (72% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube