Detection / HNTPublic file

Historical ACR Stealer and Amatera Infrastructure

Hunts for connections to exact ACR Stealer and Amatera infrastructure reported between June 2025 and mid-July 2026. These values are historical pivots and require current resolution checks plus correlation with ClickFix, rundll32, PowerShell, mshta, or pythonw activity before response action.

Sigma source

Raw YAML
title: Historical ACR Stealer and Amatera Infrastructure
id: 3ec7240d-7bd2-4b12-a468-34c1354e547f
status: experimental
author: FRAME ZERO
date: 2026-07-17
description: Hunts for connections to exact ACR Stealer and Amatera infrastructure reported between June 2025 and mid-July 2026. These values are historical pivots and require current resolution checks plus correlation with ClickFix, rundll32, PowerShell, mshta, or pythonw activity before response action.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
  - https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication
  - https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/
  - https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat
logsource:
  category: network_connection
  product: windows
detection:
  selection_domains:
    DestinationHostname:
      - 'looksta.icu'
      - 'contrite.quirksturdy.icu'
      - 'ux.strainedeasily.icu'
      - 'cpppemwjewjoiwejow.sale'
      - 'breaksd.wifihot.icu'
      - 'walter.filloco.icu'
      - 'fast.raidher.icu'
      - 'apigrokcloud.icu'
      - 'enhanceblabber.cc'
      - 'deep-harborio.com'
      - 'auramatrixa.com'
      - 'zealpraxis.com'
      - 'prism-vertex.com'
      - 'prism-matrixs.com'
      - 'proton-network.com'
      - 'creativecommunityinfo.art'
      - 'claude-desktop.gitlab.io'
      - 'sphere-api.dialectosphere.in.net'
      - 'cw.compactedtightness.cfd'
      - 'amaprox.icu'
      - 'b1.talismanoverblown.com'
  selection_ips:
    DestinationIp:
      - '104.21.80.1'
      - '172.67.178.5'
      - '87.120.219.26'
      - '45.94.47.224'
      - '91.98.229.246'
  condition: 1 of selection_*
falsepositives:
  - Security testing, malware analysis, or sinkhole traffic reproducing historical ACR Stealer or Amatera infrastructure
  - Connections to shared Cloudflare-hosted IPs without matching domain, process, or timing context
  - Archived telemetry from previously remediated infections that is replayed into a hunting platform
level: medium
tags:
  - attack.command-and-control
  - attack.t1071
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
  - Network telemetry preserves destination hostname or SNI, destination IP, process lineage, and timestamps.
  - Analysts can re-resolve historical domains, validate present ownership, and compare local event timing with the 2025 to 2026 observation windows before escalation.

Relationships

Related files