ACR Stealer uses ClickFix to branch into WebDAV and MSHTA delivery chains
Microsoft observed late-April to mid-June 2026 ACR Stealer intrusions that started with ClickFix and diverged into WebDAV or MSHTA delivery before stealing browser credentials, tokens, and enterprise documents.
- 2026-07-17
- 10 min read
Operational layer / Use first
Detection & hunt kit
Deployable logic, required telemetry, and ATT&CK coverage. Expand an artifact without leaving the intelligence report.
01 / DetectionClickFix Run Dialog Launch of Rundll32 over WebDAVDetects Windows Run dialog command history that matches Microsoft's observed ClickFix launch pattern for ACR Stealer, including rundll32 execution from a remote WebDAV share and more concealed pushd or conhost headless variants.ATT&CK / T1204 / T1218.011View detailsMinimize
- Use
- Detection
- Confidence state
- stable
- Priority
- high
- ATT&CK
- T1204 / T1218.011
Required telemetry
- category
- registry_event
- product
- windows
title: ClickFix Run Dialog Launch of Rundll32 over WebDAV
id: 8f9d8f9c-9b9e-4b95-8bb2-8c74aa65c56f
status: stable
author: FRAME ZERO
date: 2026-07-17
description: Detects Windows Run dialog command history that matches Microsoft's observed ClickFix launch pattern for ACR Stealer, including rundll32 execution from a remote WebDAV share and more concealed pushd or conhost headless variants.
references:
- https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/
logsource:
category: registry_event
product: windows
detection:
selection_key:
RegistryKey|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
selection_common:
RegistryValueData|contains|all:
- 'rundll32'
- '@ssl'
- ' /c '
selection_variant_start:
RegistryValueData|contains: ' start '
selection_variant_pushd:
RegistryValueData|contains: 'pushd '
selection_variant_headless:
RegistryValueData|contains: 'conhost --headless'
condition: selection_key and selection_common and 1 of selection_variant_*
falsepositives:
- Administrators or support personnel manually testing WebDAV access or DLL loading through the Windows Run dialog
- Security teams reproducing published ClickFix delivery chains in a lab
level: high
tags:
- attack.execution
- attack.t1204
- attack.t1218.011
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
- Endpoint telemetry captures RunMRU registry writes with the complete command string and the initiating user.
- Analysts can correlate the registry event with nearby process creation and outbound network telemetry for cmd.exe, rundll32.exe, and conhost.exe.
02 / DetectionPowerShell Runs an Autoupdate Scheduled Task for ACR Stealer PersistenceDetects the PowerShell-driven schtasks pattern Microsoft published for ACR Stealer persistence, where an existing hidden software-update themed task is run after the payload is staged.ATT&CK / T1053.005View detailsMinimize
- Use
- Detection
- Confidence state
- stable
- Priority
- high
- ATT&CK
- T1053.005
Required telemetry
- category
- process_creation
- product
- windows
title: PowerShell Runs an Autoupdate Scheduled Task for ACR Stealer Persistence
id: 5f502b08-6f12-4a59-965b-7352f8a8191b
status: stable
author: FRAME ZERO
date: 2026-07-17
description: Detects the PowerShell-driven schtasks pattern Microsoft published for ACR Stealer persistence, where an existing hidden software-update themed task is run after the payload is staged.
references:
- https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\powershell.exe'
selection_image:
Image|endswith: '\schtasks.exe'
selection_task:
CommandLine|contains|all:
- '/run /tn '
- 'Autoupdate'
selection_date:
CommandLine|re: '[0-9]{8}'
condition: all of selection_*
falsepositives:
- Administrative or software-deployment scripts that intentionally create or trigger a task named Autoupdate with the same date-suffixed pattern
- Endpoint-management tooling that stages legitimate update tasks through PowerShell before execution
level: high
tags:
- attack.persistence
- attack.t1053.005
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
- Process telemetry records parent and child images together with the full schtasks command line.
- Analysts can review the created task definition, target payload path, and preceding directory creation below user-writable locations.
03 / Threat huntHistorical ACR Stealer and Amatera InfrastructureHunts for connections to exact ACR Stealer and Amatera infrastructure reported between June 2025 and mid-July 2026. These values are historical pivots and require current resolution checks plus correlation with ClickFix, rundll32, PowerShell, mshta, or pythonw activity before response action.ATT&CK / T1071View detailsMinimize
- Use
- Threat hunt
- Confidence state
- experimental
- Priority
- medium
- Review after
- 2026-08-16
Required telemetry
- category
- network_connection
- product
- windows
ATT&CK / T1071
title: Historical ACR Stealer and Amatera Infrastructure
id: 3ec7240d-7bd2-4b12-a468-34c1354e547f
status: experimental
author: FRAME ZERO
date: 2026-07-17
description: Hunts for connections to exact ACR Stealer and Amatera infrastructure reported between June 2025 and mid-July 2026. These values are historical pivots and require current resolution checks plus correlation with ClickFix, rundll32, PowerShell, mshta, or pythonw activity before response action.
references:
- https://www.microsoft.com/en-us/security/blog/2026/07/16/acr-stealer-two-observed-intrusion-chains-amid-increased-threat-activity/
- https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/
- https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat
logsource:
category: network_connection
product: windows
detection:
selection_domains:
DestinationHostname:
- 'looksta.icu'
- 'contrite.quirksturdy.icu'
- 'ux.strainedeasily.icu'
- 'cpppemwjewjoiwejow.sale'
- 'breaksd.wifihot.icu'
- 'walter.filloco.icu'
- 'fast.raidher.icu'
- 'apigrokcloud.icu'
- 'enhanceblabber.cc'
- 'deep-harborio.com'
- 'auramatrixa.com'
- 'zealpraxis.com'
- 'prism-vertex.com'
- 'prism-matrixs.com'
- 'proton-network.com'
- 'creativecommunityinfo.art'
- 'claude-desktop.gitlab.io'
- 'sphere-api.dialectosphere.in.net'
- 'cw.compactedtightness.cfd'
- 'amaprox.icu'
- 'b1.talismanoverblown.com'
selection_ips:
DestinationIp:
- '104.21.80.1'
- '172.67.178.5'
- '87.120.219.26'
- '45.94.47.224'
- '91.98.229.246'
condition: 1 of selection_*
falsepositives:
- Security testing, malware analysis, or sinkhole traffic reproducing historical ACR Stealer or Amatera infrastructure
- Connections to shared Cloudflare-hosted IPs without matching domain, process, or timing context
- Archived telemetry from previously remediated infections that is replayed into a hunting platform
level: medium
tags:
- attack.command-and-control
- attack.t1071
related_publication: acr-stealer-clickfix-two-delivery-chains
telemetry_assumptions:
- Network telemetry preserves destination hostname or SNI, destination IP, process lineage, and timestamps.
- Analysts can re-resolve historical domains, validate present ownership, and compare local event timing with the 2025 to 2026 observation windows before escalation.
Analysis
Microsoft reported that from late April 2026 to mid-June 2026, ACR Stealer activity in enterprise environments repeatedly started with ClickFix and then split into two delivery paths. One path used remote WebDAV content, obfuscated PowerShell, Python persistence, and in some cases blockchain-backed dead-drop resolution. The other used mshta.exe, remote HTA content, and a steganographic in-memory payload. Both paths ended in browser credential theft, token access, document collection, and data staging for exfiltration.
Proofpoint previously tied the Amatera rebrand to ACR Stealer in June 2025, Red Canary observed ACR Stealer in active ClearFake delivery during April 2026, and eSentire documented a later Amatera chain that delivered NetSupport RAT after similar initial access. The frozen bundle therefore supports both the current Microsoft campaign sequence and the longer delivery lineage, but public claims in this package stay within what those sources directly report.
ClickFix establishes the initial foothold in both observed 2026 chains
Microsoft wrote that both 2026 intrusion chains began when a user followed a ClickFix-style prompt and ran an attacker-supplied command. In the first chain, the command launched cmd.exe and then rundll32.exe to load a DLL from a remote WebDAV share over HTTPS. Some observed variants used pushd to map the WebDAV share to a temporary drive letter before execution. A more concealed variant launched through conhost.exe --headless and used delayed environment-variable expansion to hide the pushd, rundll32, and remote-host components.
Red Canary separately observed ACR Stealer delivered through ClearFake in April 2026, including fake Claude Code GitLab pages and rundll32.exe outbound command and control. Its reporting covers a separate chain and shows that ACR Stealer operators were already pairing ClickFix-style social engineering with rundll32.exe-based execution in the same time period.
The WebDAV path moves from PowerShell into Python persistence
After rundll32.exe loaded the WebDAV-delivered DLL, Microsoft observed contact with attacker-controlled infrastructure followed by a heavily obfuscated PowerShell stage. That stage downloaded a ZIP payload, extracted it below %LocalAppData%\Temp into a directory made to resemble legitimate software, launched a bundled pythonw.exe, removed prior deployments, and created a hidden scheduled task disguised as a software update. Microsoft also reported timestomping and PowerShell history clearing during this phase.
The Python component then decoded an in-memory shellcode loader. Microsoft described dynamic API resolution, string reconstruction, Base64 decoding, zlib decompression, and final payload injection through VirtualAlloc, ConvertThreadToFiber, CreateFiber, and SwitchToFiber. In a subset of intrusions, Microsoft also observed a secondary Python loader that queried public blockchain RPC and Web3 infrastructure to recover follow-on payload or command-and-control information.
Proofpoint's June 2025 Amatera research aligns with this lineage. It reported ClickFix delivery, EtherHiding, and encrypted command-and-control communications for the rebranded stealer, while eSentire later described Amatera delivering additional malware through PowerShell after the initial stealer execution path.
The second path uses MSHTA and a steganographic in-memory payload
Microsoft's second 2026 chain also started with ClickFix, but the command spawned mshta.exe to retrieve remote HTA content. The embedded VBScript loader used COM objects to decode and run obfuscated PowerShell. Before contacting the next-stage host, Microsoft observed the script generating a victim-specific identifier and disabling certificate validation.
Instead of downloading a conventional second script, the second chain fetched a JPEG image from an image-hosting service. Microsoft reported custom routines that extracted hidden content from image pixels, decrypted and decompressed the embedded payload, and then resolved APIs such as LoadLibrary, GetProcAddress, VirtualAlloc, CreateThread, and WaitForSingleObject at runtime for reflective shellcode execution. This kept execution largely in memory and reduced the file artifacts available to traditional disk-based inspection.
Both paths collect browser secrets and enterprise documents before exfiltration
Microsoft reported that both chains ultimately targeted Chromium credential stores, cookies, tokens, and authentication artifacts. The actors also enumerated PDFs, Microsoft 365 documents, Desktop and Downloads content, and data synchronized through OneDrive and SharePoint. The collected material was then archived to prepare for exfiltration.
That collection objective matches the stealer lineage in the rest of the bundle. Proofpoint described Amatera as a rebranded ACR-based information stealer with updated evasion, while eSentire documented selective follow-on payload delivery after the stealer had already profiled the endpoint and evaluated whether it belonged to a domain or held files of value.
Durable detections cover the ClickFix launch and the masqueraded persistence task
The first included Sigma rule detects Windows Run dialog telemetry that contains rundll32 plus @ssl, together with either pushd, start, or conhost --headless. That selection is grounded in Microsoft's observed ClickFix-to-WebDAV launch chain and is meant to catch the user-pasted execution step before the stealer settles into later stages. Administrators can legitimately type rundll32 into the Run dialog during troubleshooting, so analysts still need user, host, and remote-share context.
The second durable rule detects schtasks.exe launched by powershell.exe with the Autoupdate task name pattern Microsoft published for the WebDAV-to-Python chain. It is intentionally narrower than a generic scheduled-task analytic because the evidence ties this persistence step to a PowerShell-driven installer that re-runs the payload at user sign-in. Software updaters and administrative scripts can still collide with the same pattern, so defenders should review task XML, parent-child process lineage, and the destination directory created just before task registration.
The included hunt is indicator-backed because the sources publish unambiguous destination domains and IP addresses. URLs, file hashes, the smart-contract address, and the Proofpoint and eSentire HTTP Host headers remain article pivots rather than selections in this Windows network-connection hunt because its declared telemetry cannot represent URL paths, file content, blockchain contracts, or HTTP headers. The hunt should remain experimental because its selected values span June 2025 through mid-July 2026 reporting windows, some are historical lineage pivots rather than current campaign infrastructure, and Cloudflare-backed IP matches are not sufficient on their own.
Telemetry and response priorities
The core telemetry need is process, registry, and network correlation around cmd.exe, rundll32.exe, powershell.exe, pythonw.exe, mshta.exe, and schtasks.exe. Microsoft's own hunting guidance points to RunMRU registry data, scheduled-task creation, WebDAV access, browser credential-store access, DPAPI activity, and suspicious use of image-hosting or blockchain infrastructure. Defenders should retain full parent-child process context, command lines, destination host data, and timestamps tightly enough to reconstruct the paste-and-run sequence.
Investigations should prioritize systems where a user-triggered ClickFix prompt is followed by remote WebDAV execution, hidden or misleading task creation, browser database access, and collection of Microsoft 365 or PDF content in the same window. If compromise is suspected, Microsoft recommends host isolation, credential rotation, token revocation, persistence review, and investigation of outbound connections to remote shares, image-hosting services, or follow-on infrastructure.
Because both chains are aimed at browser credentials and synchronized enterprise content, response should extend beyond the endpoint. Review cloud sign-in events, conditional-access decisions, repository and collaboration audit logs, and document-access history for the affected user after endpoint containment. eSentire's historical reporting also shows that some Amatera infections progress to additional malware, so defenders should not assume the stealer is the terminal stage of the intrusion.
Scope and limitations
Microsoft supplies the strongest evidence in the bundle and directly supports the two 2026 chains described here. Proofpoint, Red Canary, and eSentire strengthen lineage, delivery, and infrastructure context, but they describe earlier or adjacent Amatera activity rather than the exact same incidents Microsoft investigated. This package therefore avoids claiming that every reported domain or IP was active in Microsoft's late-April to mid-June 2026 cases.
The durable detections focus on observed behavior, not on the historical infrastructure list. They do not guarantee visibility into purely in-memory post-exploitation, browser data theft, or document staging when process, registry, or network telemetry is incomplete. The experimental hunt depends on accurate host, SNI, or destination-IP logging and still requires analyst correlation because some values are historical, some are tied to shared infrastructure, and most lack per-value observation times in the frozen evidence.
Attribution also remains limited. Microsoft attributes the observed behavior to ACR Stealer based on tradecraft and corroborating open-source intelligence, while other sources discuss the Amatera rebrand and affiliated loaders. The frozen bundle does not identify a complete operator set, a full victim count, or a single end-to-end intrusion chain that spans every source in this package.
Reported IOCs
View detailsMinimize
Microsoft observed the two 2026 intrusion chains from late April 2026 to mid-June 2026. Red Canary separately reported related ACR Stealer delivery in April 2026. Proofpoint's Amatera lineage report covers activity it observed in April and May 2025. eSentire observed its EVALUSION chain in November 2025, making that infrastructure historical context rather than a direct description of Microsoft's 2026 cases. The sources do not provide per-value observation times for most of the exact values below. These domains, URLs, host headers, IPs, file hashes, and the smart-contract address should therefore be treated as time-sensitive historical pivots that require current ownership, current resolution where applicable, and local-log validation before response action.
| Value | Type | Context |
|---|---|---|
looksta[.]icu | Domain | Microsoft campaign 1 C2 domain |
contrite.quirksturdy[.]icu | Domain | Microsoft campaign 1 C2 domain |
ux.strainedeasily[.]icu | Domain | Microsoft campaign 1 C2 domain |
cpppemwjewjoiwejow[.]sale | Domain | Microsoft campaign 1 C2 domain |
breaksd.wifihot[.]icu | Domain | Microsoft campaign 1 C2 domain |
walter.filloco[.]icu | Domain | Microsoft campaign 1 C2 domain |
fast.raidher[.]icu | Domain | Microsoft campaign 1 C2 domain |
apigrokcloud[.]icu | Domain | Microsoft campaign 1 C2 domain |
enhanceblabber[.]cc | Domain | Microsoft campaign 2 C2 domain |
deep-harborio[.]com | Domain | Microsoft campaign 2 first-stage payload host |
auramatrixa[.]com | Domain | Microsoft campaign 2 first-stage payload host |
zealpraxis[.]com | Domain | Microsoft campaign 2 first-stage payload host |
prism-vertex[.]com | Domain | Microsoft campaign 2 first-stage payload host |
prism-matrixs[.]com | Domain | Microsoft campaign 2 first-stage payload host |
proton-network[.]com | Domain | Microsoft campaign 2 first-stage payload host |
creativecommunityinfo[.]art | Domain | Microsoft campaign 2 payload host |
claude-desktop[.]gitlab[.]io | Domain | Red Canary April 2026 fake Claude Code GitLab lure |
sphere-api.dialectosphere.in[.]net | Domain | Red Canary April 2026 remote network-share delivery host |
\\sphere-api.dialectosphere.in[.]net\05fe317c-0981-4de2-bc8a-930d369db441\ck-3d80df5d12cdfe6450a782fc87bf66b444.google,#1 | UNC path | Red Canary April 2026 remote DLL resource loaded by rundll32.exe |
cw.compactedtightness[.]cfd | Domain | Red Canary April 2026 example ACR Stealer command-and-control destination |
amaprox[.]icu | Domain | Proofpoint June 2025 Amatera HTTPS security-context initialization pivot |
overplanteasiest[.]top | Domain | Proofpoint June 2025 hardcoded C2 host associated with 104.21.80[.]1 |
badnesspandemic[.]shop | Domain | Proofpoint June 2025 hardcoded host header associated with 172.67.178[.]5 |
b1[.]talismanoverblown[.]com | Domain | Proofpoint June 2025 Amatera infrastructure and C2 pivot |
104.21.80[.]1 | IP address | Proofpoint June 2025 Amatera C2 IP linked to overplanteasiest[.]top |
172.67.178[.]5 | IP address | Proofpoint June 2025 Amatera C2 IP linked to badnesspandemic[.]shop |
https[:]//cv[.]cbrw[.]ru/t[.]csproj | URL | Proofpoint June 2025 ClearFake ClickFix payload URL |
https[:]//tt[.]cbrw[.]ru/vb7to8[.]psd | URL | Proofpoint June 2025 ClearFake shellcode URL |
https[:]//cv[.]cbrw[.]ru/init1[.]bin | URL | Proofpoint June 2025 ClearFake shellcode URL leading to Amatera |
120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 | SHA-256 | Proofpoint Amatera sample using NTSockets without HTTPS or second-stage support |
7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea | SHA-256 | Proofpoint Amatera sample with HTTPS support |
35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af | SHA-256 | Proofpoint Amatera sample using HTTPS command and control |
2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991 | SHA-256 | Proofpoint ClearFake ClickFix CSProj payload |
ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55 | SHA-256 | Proofpoint ClearFake second-stage PowerShell |
055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b | SHA-256 | Proofpoint ClearFake shellcode leading to Amatera |
0x80d31D935f0EC978253A26D48B5593599B9542C7 | BNB Smart Chain Testnet contract | Proofpoint ClearFake EtherHiding smart-contract pivot |
hxxp://87.120.219.26/P9m4H7S2FqDTof | URL | eSentire Amatera loader URL used to retrieve a PowerShell payload |
87.120.219.26 | IP address | eSentire historical payload host |
45.94.47.224 | IP address | eSentire NetSupport RAT C2 from client32.ini |
91.98.229.246 | IP address | eSentire Amatera C2 server extracted from historical tooling |
aether100.pronotification.table.core.windows.net | Host header | eSentire bogus Host header used in Amatera command-and-control traffic |