Historical ACR Stealer and Amatera Infrastructure
Hunts for connections to exact ACR Stealer and Amatera infrastructure reported between June 2025 and mid-July 2026. These values are historical pivots and require current resolution checks plus correlation with ClickFix, rundll32, PowerShell, mshta, or pythonw activity before response action.
Sigma source
Raw YAMLtitle: Historical ACR Stealer and Amatera Infrastructure
id: 3ec7240d-7bd2-4b12-a468-34c1354e547f
status: experimental
author: FRAME ZERO
date: 2026-07-17
description: Hunts for connections to exact ACR Stealer and Amatera infrastructure reported between June 2025 and mid-July 2026. These values are historical pivots and require current resolution checks plus correlation with ClickFix, rundll32, PowerShell, mshta, or pythonw activity before response action.
references:
- https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
- https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/
- https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat
logsource:
category: network_connection
product: windows
detection:
selection_domains:
DestinationHostname:
- 'looksta.icu'
- 'contrite.quirksturdy.icu'
- 'ux.strainedeasily.icu'
- 'cpppemwjewjoiwejow.sale'
- 'breaksd.wifihot.icu'
- 'walter.filloco.icu'
- 'fast.raidher.icu'
- 'apigrokcloud.icu'
- 'enhanceblabber.cc'
- 'deep-harborio.com'
- 'auramatrixa.com'
- 'zealpraxis.com'
- 'prism-vertex.com'
- 'prism-matrixs.com'
- 'proton-network.com'
- 'creativecommunityinfo.art'
- 'claude-desktop.gitlab.io'
- 'sphere-api.dialectosphere.in.net'
- 'cw.compactedtightness.cfd'
- 'amaprox.icu'
- 'b1.talismanoverblown.com'
selection_ips:
DestinationIp:
- '104.21.80.1'
- '172.67.178.5'
- '87.120.219.26'
- '45.94.47.224'
- '91.98.229.246'
condition: 1 of selection_*
falsepositives:
- Security testing, malware analysis, or sinkhole traffic reproducing historical ACR Stealer or Amatera infrastructure
- Connections to shared Cloudflare-hosted IPs without matching domain, process, or timing context
- Archived telemetry from previously remediated infections that is replayed into a hunting platform
level: medium
tags:
- attack.command-and-control
- attack.t1071
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
- Network telemetry preserves destination hostname or SNI, destination IP, process lineage, and timestamps.
- Analysts can re-resolve historical domains, validate present ownership, and compare local event timing with the 2025 to 2026 observation windows before escalation.