Intelligence / TIPublic intelligence

ACR Stealer uses ClickFix to branch into WebDAV and MSHTA delivery chains

Microsoft observed late-April to mid-June 2026 ACR Stealer intrusions that started with ClickFix and diverged into WebDAV or MSHTA delivery before stealing browser credentials, tokens, and enterprise documents.

Published
2026-07-17
Reading time
10 min read

Operational layer / Use first

Detection & hunt kit

Deployable logic, required telemetry, and ATT&CK coverage. Expand an artifact without leaving the intelligence report.

01 / DetectionClickFix Run Dialog Launch of Rundll32 over WebDAVDetects Windows Run dialog command history that matches Microsoft's observed ClickFix launch pattern for ACR Stealer, including rundll32 execution from a remote WebDAV share and more concealed pushd or conhost headless variants.ATT&CK / T1204 / T1218.011View detailsMinimize
Use
Detection
Confidence state
stable
Priority
high
ATT&CK
T1204 / T1218.011

Required telemetry

category
registry_event
product
windows
Sigma sourceInline / YAML
title: ClickFix Run Dialog Launch of Rundll32 over WebDAV
id: 8f9d8f9c-9b9e-4b95-8bb2-8c74aa65c56f
status: stable
author: FRAME ZERO
date: 2026-07-17
description: Detects Windows Run dialog command history that matches Microsoft's observed ClickFix launch pattern for ACR Stealer, including rundll32 execution from a remote WebDAV share and more concealed pushd or conhost headless variants.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
  - https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/
logsource:
  category: registry_event
  product: windows
detection:
  selection_key:
    RegistryKey|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
  selection_common:
    RegistryValueData|contains|all:
      - 'rundll32'
      - '@ssl'
      - ' /c '
  selection_variant_start:
    RegistryValueData|contains: ' start '
  selection_variant_pushd:
    RegistryValueData|contains: 'pushd '
  selection_variant_headless:
    RegistryValueData|contains: 'conhost --headless'
  condition: selection_key and selection_common and 1 of selection_variant_*
falsepositives:
  - Administrators or support personnel manually testing WebDAV access or DLL loading through the Windows Run dialog
  - Security teams reproducing published ClickFix delivery chains in a lab
level: high
tags:
  - attack.execution
  - attack.t1204
  - attack.t1218.011
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
  - Endpoint telemetry captures RunMRU registry writes with the complete command string and the initiating user.
  - Analysts can correlate the registry event with nearby process creation and outbound network telemetry for cmd.exe, rundll32.exe, and conhost.exe.
02 / DetectionPowerShell Runs an Autoupdate Scheduled Task for ACR Stealer PersistenceDetects the PowerShell-driven schtasks pattern Microsoft published for ACR Stealer persistence, where an existing hidden software-update themed task is run after the payload is staged.ATT&CK / T1053.005View detailsMinimize
Use
Detection
Confidence state
stable
Priority
high
ATT&CK
T1053.005

Required telemetry

category
process_creation
product
windows
Sigma sourceInline / YAML
title: PowerShell Runs an Autoupdate Scheduled Task for ACR Stealer Persistence
id: 5f502b08-6f12-4a59-965b-7352f8a8191b
status: stable
author: FRAME ZERO
date: 2026-07-17
description: Detects the PowerShell-driven schtasks pattern Microsoft published for ACR Stealer persistence, where an existing hidden software-update themed task is run after the payload is staged.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\powershell.exe'
  selection_image:
    Image|endswith: '\schtasks.exe'
  selection_task:
    CommandLine|contains|all:
      - '/run /tn '
      - 'Autoupdate'
  selection_date:
    CommandLine|re: '[0-9]{8}'
  condition: all of selection_*
falsepositives:
  - Administrative or software-deployment scripts that intentionally create or trigger a task named Autoupdate with the same date-suffixed pattern
  - Endpoint-management tooling that stages legitimate update tasks through PowerShell before execution
level: high
tags:
  - attack.persistence
  - attack.t1053.005
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
  - Process telemetry records parent and child images together with the full schtasks command line.
  - Analysts can review the created task definition, target payload path, and preceding directory creation below user-writable locations.
03 / Threat huntHistorical ACR Stealer and Amatera InfrastructureHunts for connections to exact ACR Stealer and Amatera infrastructure reported between June 2025 and mid-July 2026. These values are historical pivots and require current resolution checks plus correlation with ClickFix, rundll32, PowerShell, mshta, or pythonw activity before response action.ATT&CK / T1071View detailsMinimize
Use
Threat hunt
Confidence state
experimental
Priority
medium
Review after
2026-08-16

Required telemetry

category
network_connection
product
windows

ATT&CK / T1071

Sigma sourceInline / YAML
title: Historical ACR Stealer and Amatera Infrastructure
id: 3ec7240d-7bd2-4b12-a468-34c1354e547f
status: experimental
author: FRAME ZERO
date: 2026-07-17
description: Hunts for connections to exact ACR Stealer and Amatera infrastructure reported between June 2025 and mid-July 2026. These values are historical pivots and require current resolution checks plus correlation with ClickFix, rundll32, PowerShell, mshta, or pythonw activity before response action.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
  - https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication
  - https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/
  - https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat
logsource:
  category: network_connection
  product: windows
detection:
  selection_domains:
    DestinationHostname:
      - 'looksta.icu'
      - 'contrite.quirksturdy.icu'
      - 'ux.strainedeasily.icu'
      - 'cpppemwjewjoiwejow.sale'
      - 'breaksd.wifihot.icu'
      - 'walter.filloco.icu'
      - 'fast.raidher.icu'
      - 'apigrokcloud.icu'
      - 'enhanceblabber.cc'
      - 'deep-harborio.com'
      - 'auramatrixa.com'
      - 'zealpraxis.com'
      - 'prism-vertex.com'
      - 'prism-matrixs.com'
      - 'proton-network.com'
      - 'creativecommunityinfo.art'
      - 'claude-desktop.gitlab.io'
      - 'sphere-api.dialectosphere.in.net'
      - 'cw.compactedtightness.cfd'
      - 'amaprox.icu'
      - 'b1.talismanoverblown.com'
  selection_ips:
    DestinationIp:
      - '104.21.80.1'
      - '172.67.178.5'
      - '87.120.219.26'
      - '45.94.47.224'
      - '91.98.229.246'
  condition: 1 of selection_*
falsepositives:
  - Security testing, malware analysis, or sinkhole traffic reproducing historical ACR Stealer or Amatera infrastructure
  - Connections to shared Cloudflare-hosted IPs without matching domain, process, or timing context
  - Archived telemetry from previously remediated infections that is replayed into a hunting platform
level: medium
tags:
  - attack.command-and-control
  - attack.t1071
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
  - Network telemetry preserves destination hostname or SNI, destination IP, process lineage, and timestamps.
  - Analysts can re-resolve historical domains, validate present ownership, and compare local event timing with the 2025 to 2026 observation windows before escalation.

Analysis

Microsoft reported that from late April 2026 to mid-June 2026, ACR Stealer activity in enterprise environments repeatedly started with ClickFix and then split into two delivery paths. One path used remote WebDAV content, obfuscated PowerShell, Python persistence, and in some cases blockchain-backed dead-drop resolution. The other used mshta.exe, remote HTA content, and a steganographic in-memory payload. Both paths ended in browser credential theft, token access, document collection, and data staging for exfiltration.

Proofpoint previously tied the Amatera rebrand to ACR Stealer in June 2025, Red Canary observed ACR Stealer in active ClearFake delivery during April 2026, and eSentire documented a later Amatera chain that delivered NetSupport RAT after similar initial access. The frozen bundle therefore supports both the current Microsoft campaign sequence and the longer delivery lineage, but public claims in this package stay within what those sources directly report.

ClickFix establishes the initial foothold in both observed 2026 chains

Microsoft wrote that both 2026 intrusion chains began when a user followed a ClickFix-style prompt and ran an attacker-supplied command. In the first chain, the command launched cmd.exe and then rundll32.exe to load a DLL from a remote WebDAV share over HTTPS. Some observed variants used pushd to map the WebDAV share to a temporary drive letter before execution. A more concealed variant launched through conhost.exe --headless and used delayed environment-variable expansion to hide the pushd, rundll32, and remote-host components.

Red Canary separately observed ACR Stealer delivered through ClearFake in April 2026, including fake Claude Code GitLab pages and rundll32.exe outbound command and control. Its reporting covers a separate chain and shows that ACR Stealer operators were already pairing ClickFix-style social engineering with rundll32.exe-based execution in the same time period.

The WebDAV path moves from PowerShell into Python persistence

After rundll32.exe loaded the WebDAV-delivered DLL, Microsoft observed contact with attacker-controlled infrastructure followed by a heavily obfuscated PowerShell stage. That stage downloaded a ZIP payload, extracted it below %LocalAppData%\Temp into a directory made to resemble legitimate software, launched a bundled pythonw.exe, removed prior deployments, and created a hidden scheduled task disguised as a software update. Microsoft also reported timestomping and PowerShell history clearing during this phase.

The Python component then decoded an in-memory shellcode loader. Microsoft described dynamic API resolution, string reconstruction, Base64 decoding, zlib decompression, and final payload injection through VirtualAlloc, ConvertThreadToFiber, CreateFiber, and SwitchToFiber. In a subset of intrusions, Microsoft also observed a secondary Python loader that queried public blockchain RPC and Web3 infrastructure to recover follow-on payload or command-and-control information.

Proofpoint's June 2025 Amatera research aligns with this lineage. It reported ClickFix delivery, EtherHiding, and encrypted command-and-control communications for the rebranded stealer, while eSentire later described Amatera delivering additional malware through PowerShell after the initial stealer execution path.

The second path uses MSHTA and a steganographic in-memory payload

Microsoft's second 2026 chain also started with ClickFix, but the command spawned mshta.exe to retrieve remote HTA content. The embedded VBScript loader used COM objects to decode and run obfuscated PowerShell. Before contacting the next-stage host, Microsoft observed the script generating a victim-specific identifier and disabling certificate validation.

Instead of downloading a conventional second script, the second chain fetched a JPEG image from an image-hosting service. Microsoft reported custom routines that extracted hidden content from image pixels, decrypted and decompressed the embedded payload, and then resolved APIs such as LoadLibrary, GetProcAddress, VirtualAlloc, CreateThread, and WaitForSingleObject at runtime for reflective shellcode execution. This kept execution largely in memory and reduced the file artifacts available to traditional disk-based inspection.

Both paths collect browser secrets and enterprise documents before exfiltration

Microsoft reported that both chains ultimately targeted Chromium credential stores, cookies, tokens, and authentication artifacts. The actors also enumerated PDFs, Microsoft 365 documents, Desktop and Downloads content, and data synchronized through OneDrive and SharePoint. The collected material was then archived to prepare for exfiltration.

That collection objective matches the stealer lineage in the rest of the bundle. Proofpoint described Amatera as a rebranded ACR-based information stealer with updated evasion, while eSentire documented selective follow-on payload delivery after the stealer had already profiled the endpoint and evaluated whether it belonged to a domain or held files of value.

Durable detections cover the ClickFix launch and the masqueraded persistence task

The first included Sigma rule detects Windows Run dialog telemetry that contains rundll32 plus @ssl, together with either pushd, start, or conhost --headless. That selection is grounded in Microsoft's observed ClickFix-to-WebDAV launch chain and is meant to catch the user-pasted execution step before the stealer settles into later stages. Administrators can legitimately type rundll32 into the Run dialog during troubleshooting, so analysts still need user, host, and remote-share context.

The second durable rule detects schtasks.exe launched by powershell.exe with the Autoupdate task name pattern Microsoft published for the WebDAV-to-Python chain. It is intentionally narrower than a generic scheduled-task analytic because the evidence ties this persistence step to a PowerShell-driven installer that re-runs the payload at user sign-in. Software updaters and administrative scripts can still collide with the same pattern, so defenders should review task XML, parent-child process lineage, and the destination directory created just before task registration.

The included hunt is indicator-backed because the sources publish unambiguous destination domains and IP addresses. URLs, file hashes, the smart-contract address, and the Proofpoint and eSentire HTTP Host headers remain article pivots rather than selections in this Windows network-connection hunt because its declared telemetry cannot represent URL paths, file content, blockchain contracts, or HTTP headers. The hunt should remain experimental because its selected values span June 2025 through mid-July 2026 reporting windows, some are historical lineage pivots rather than current campaign infrastructure, and Cloudflare-backed IP matches are not sufficient on their own.

Telemetry and response priorities

The core telemetry need is process, registry, and network correlation around cmd.exe, rundll32.exe, powershell.exe, pythonw.exe, mshta.exe, and schtasks.exe. Microsoft's own hunting guidance points to RunMRU registry data, scheduled-task creation, WebDAV access, browser credential-store access, DPAPI activity, and suspicious use of image-hosting or blockchain infrastructure. Defenders should retain full parent-child process context, command lines, destination host data, and timestamps tightly enough to reconstruct the paste-and-run sequence.

Investigations should prioritize systems where a user-triggered ClickFix prompt is followed by remote WebDAV execution, hidden or misleading task creation, browser database access, and collection of Microsoft 365 or PDF content in the same window. If compromise is suspected, Microsoft recommends host isolation, credential rotation, token revocation, persistence review, and investigation of outbound connections to remote shares, image-hosting services, or follow-on infrastructure.

Because both chains are aimed at browser credentials and synchronized enterprise content, response should extend beyond the endpoint. Review cloud sign-in events, conditional-access decisions, repository and collaboration audit logs, and document-access history for the affected user after endpoint containment. eSentire's historical reporting also shows that some Amatera infections progress to additional malware, so defenders should not assume the stealer is the terminal stage of the intrusion.

Scope and limitations

Microsoft supplies the strongest evidence in the bundle and directly supports the two 2026 chains described here. Proofpoint, Red Canary, and eSentire strengthen lineage, delivery, and infrastructure context, but they describe earlier or adjacent Amatera activity rather than the exact same incidents Microsoft investigated. This package therefore avoids claiming that every reported domain or IP was active in Microsoft's late-April to mid-June 2026 cases.

The durable detections focus on observed behavior, not on the historical infrastructure list. They do not guarantee visibility into purely in-memory post-exploitation, browser data theft, or document staging when process, registry, or network telemetry is incomplete. The experimental hunt depends on accurate host, SNI, or destination-IP logging and still requires analyst correlation because some values are historical, some are tied to shared infrastructure, and most lack per-value observation times in the frozen evidence.

Attribution also remains limited. Microsoft attributes the observed behavior to ACR Stealer based on tradecraft and corroborating open-source intelligence, while other sources discuss the Amatera rebrand and affiliated loaders. The frozen bundle does not identify a complete operator set, a full victim count, or a single end-to-end intrusion chain that spans every source in this package.

Reported IOCs

View detailsMinimize

Microsoft observed the two 2026 intrusion chains from late April 2026 to mid-June 2026. Red Canary separately reported related ACR Stealer delivery in April 2026. Proofpoint's Amatera lineage report covers activity it observed in April and May 2025. eSentire observed its EVALUSION chain in November 2025, making that infrastructure historical context rather than a direct description of Microsoft's 2026 cases. The sources do not provide per-value observation times for most of the exact values below. These domains, URLs, host headers, IPs, file hashes, and the smart-contract address should therefore be treated as time-sensitive historical pivots that require current ownership, current resolution where applicable, and local-log validation before response action.

ValueTypeContext
looksta[.]icuDomainMicrosoft campaign 1 C2 domain
contrite.quirksturdy[.]icuDomainMicrosoft campaign 1 C2 domain
ux.strainedeasily[.]icuDomainMicrosoft campaign 1 C2 domain
cpppemwjewjoiwejow[.]saleDomainMicrosoft campaign 1 C2 domain
breaksd.wifihot[.]icuDomainMicrosoft campaign 1 C2 domain
walter.filloco[.]icuDomainMicrosoft campaign 1 C2 domain
fast.raidher[.]icuDomainMicrosoft campaign 1 C2 domain
apigrokcloud[.]icuDomainMicrosoft campaign 1 C2 domain
enhanceblabber[.]ccDomainMicrosoft campaign 2 C2 domain
deep-harborio[.]comDomainMicrosoft campaign 2 first-stage payload host
auramatrixa[.]comDomainMicrosoft campaign 2 first-stage payload host
zealpraxis[.]comDomainMicrosoft campaign 2 first-stage payload host
prism-vertex[.]comDomainMicrosoft campaign 2 first-stage payload host
prism-matrixs[.]comDomainMicrosoft campaign 2 first-stage payload host
proton-network[.]comDomainMicrosoft campaign 2 first-stage payload host
creativecommunityinfo[.]artDomainMicrosoft campaign 2 payload host
claude-desktop[.]gitlab[.]ioDomainRed Canary April 2026 fake Claude Code GitLab lure
sphere-api.dialectosphere.in[.]netDomainRed Canary April 2026 remote network-share delivery host
\\sphere-api.dialectosphere.in[.]net\05fe317c-0981-4de2-bc8a-930d369db441\ck-3d80df5d12cdfe6450a782fc87bf66b444.google,#1UNC pathRed Canary April 2026 remote DLL resource loaded by rundll32.exe
cw.compactedtightness[.]cfdDomainRed Canary April 2026 example ACR Stealer command-and-control destination
amaprox[.]icuDomainProofpoint June 2025 Amatera HTTPS security-context initialization pivot
overplanteasiest[.]topDomainProofpoint June 2025 hardcoded C2 host associated with 104.21.80[.]1
badnesspandemic[.]shopDomainProofpoint June 2025 hardcoded host header associated with 172.67.178[.]5
b1[.]talismanoverblown[.]comDomainProofpoint June 2025 Amatera infrastructure and C2 pivot
104.21.80[.]1IP addressProofpoint June 2025 Amatera C2 IP linked to overplanteasiest[.]top
172.67.178[.]5IP addressProofpoint June 2025 Amatera C2 IP linked to badnesspandemic[.]shop
https[:]//cv[.]cbrw[.]ru/t[.]csprojURLProofpoint June 2025 ClearFake ClickFix payload URL
https[:]//tt[.]cbrw[.]ru/vb7to8[.]psdURLProofpoint June 2025 ClearFake shellcode URL
https[:]//cv[.]cbrw[.]ru/init1[.]binURLProofpoint June 2025 ClearFake shellcode URL leading to Amatera
120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2SHA-256Proofpoint Amatera sample using NTSockets without HTTPS or second-stage support
7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baeaSHA-256Proofpoint Amatera sample with HTTPS support
35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6afSHA-256Proofpoint Amatera sample using HTTPS command and control
2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991SHA-256Proofpoint ClearFake ClickFix CSProj payload
ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55SHA-256Proofpoint ClearFake second-stage PowerShell
055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5bSHA-256Proofpoint ClearFake shellcode leading to Amatera
0x80d31D935f0EC978253A26D48B5593599B9542C7BNB Smart Chain Testnet contractProofpoint ClearFake EtherHiding smart-contract pivot
hxxp://87.120.219.26/P9m4H7S2FqDTofURLeSentire Amatera loader URL used to retrieve a PowerShell payload
87.120.219.26IP addresseSentire historical payload host
45.94.47.224IP addresseSentire NetSupport RAT C2 from client32.ini
91.98.229.246IP addresseSentire Amatera C2 server extracted from historical tooling
aether100.pronotification.table.core.windows.netHost headereSentire bogus Host header used in Amatera command-and-control traffic

Sources

Evidence register
  1. ACR Stealer: Two observed intrusion chains amid increased threat activityresearch
  2. Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophisticationresearch
  3. Intelligence Insights: May 2026research
  4. EVALUSION Campaign Delivers Amatera Stealer and NetSupport RATresearch