Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

ACR Stealer

149
Global rank
112 infographic chevron month
Month rank
110 infographic chevron week
Week rank
0
IOCs

ACR Stealer is a modern information-stealing malware designed to harvest sensitive data from infected devices. Like other infostealers, it targets credentials, financial details, browser data, and files, enabling cybercriminals to monetize stolen information through direct fraud or underground market sales.

Stealer
Type
Unknown
Origin
1 March, 2024
First seen
26 September, 2025
Last seen

How to analyze ACR Stealer with ANY.RUN

Type
Unknown
Origin
1 March, 2024
First seen
26 September, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 236
comments 0
post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 646
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 2959
comments 0

What is ACR Stealer?

ACR Stealer is a sophisticated information-stealing software sold as a Malware-as-a-Service (MaaS) on underground forums, primarily targeting credentials, browser data, and cryptocurrency wallets to facilitate identity theft and financial fraud.

It is lightweight, fast, and capable of exfiltrating a broad spectrum of data types, including login credentials, cryptocurrency wallet information, and system fingerprints. Its developers continuously update the malware to bypass traditional defenses, making it a persistent threat in the cybercrime ecosystem. According to Stamus Networks, ACR Stealer is an evolved version of GrMsk Stealer, which had been privately sold by the threat actor SheldIO since around July 2023. In 2025, Proofpoint researchers confirmed that ACR Stealer was significantly updated and rebranded as Amatera Stealer. Key enhancements included improved anti-analysis features and a shift away from previously used C2 mechanisms like Steam/Telegram dead drops.

ACR Stealer operates by injecting itself into system processes to avoid detection, then systematically scans the endpoint for valuable data. It uses encryption to obfuscate stolen information before exfiltrating it to C2 servers, sometimes leveraging unconventional platforms like Google Docs for command retrieval. The malware employs dead drop resolvers for dynamic C2 resolution, enhancing its resilience against takedowns. Variants like Amatera introduce advanced string obfuscation and virtual machine checks to evade sandboxes and antivirus software.

ACR Stealer commonly spreads through:

  • Phishing emails with malicious attachments or links.
  • Malvertising that redirects users to fake software downloads.
  • Cracked software and trojanized applications shared on forums or torrents.
  • Drive-by downloads from compromised websites.

While primarily single-device malware, once credentials are stolen, attackers often use them to move laterally within corporate networks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

ACR Stealer Malware Victimology

ACR Stealer targets a broad spectrum of victims, with no specific industry or demographic limitation. The malware's distribution methods suggest that it primarily affects:

  • Individual users seeking cracked software or illegitimate downloads
  • Organizations whose employees fall victim to social engineering tactics
  • Users of popular platforms like Steam, where the malware leverages community features for C2 communication
  • Cryptocurrency enthusiasts and traders, given its specific focus on wallet theft
  • Users of mainstream web browsers who store sensitive credentials and financial information

The distribution trend of ACR Stealer from June 2024 to February 2025 indicates a dramatic rise in 2025, suggesting an expanding victim base and increased threat actor adoption of this malware family.

ACR Stealer Technical Analysis and Attack Example

Let’s observe an ACR Stealer typical attack chain on a sample analyzed in ANY.RUN’s Interactive Sandbox.

View analysis

ACR Stealer analysis in Interactive Sandbox ACR Stealer sample analysis in the Interactive Sandbox

HTTP Requests and Encryption

An interesting feature of ACR Stealer is that HTTP packet headers may use legitimate domains such as microsoft.com, although the packets are sent to IP addresses not associated with these domains.

ACR HTTP requests seen in Interactive Sandbox ACR HTTP requests seen in Interactive Sandbox

In the first response to an HTTP request, there is a large Base64-encoded string of 32 KB. When attempting to decode it, it turns out to be additionally encrypted using an XOR operation. After decryption, it produces a large configuration file, which is a key component of ACR Stealer’s operation.

Configuration File

The ACR Stealer configuration file is a structured JSON-like object that manages data theft in the Windows environment. It defines the targets and parameters for collecting sensitive information, ensuring flexibility and stealth of the malware.

The stealer targets data from numerous browsers, including Google Chrome, Microsoft Edge, Opera, Firefox, Brave, Vivaldi, and lesser-known ones such as CocCoc, 360Browser, and K-Meleon. It extracts cookies, passwords, browsing history, autofill data, credit card details, and extensions, many of which are cryptocurrency wallets (MetaMask, Coinbase Wallet), password managers, and censorship bypass tools.

Messengers such as Telegram, WhatsApp, Signal, Tox, and Psi+ are targeted for theft of session keys, chats, and contacts via files such as *.sqlite or accounts.xml located in %AppData% directories. Cryptocurrency wallets, including Bitcoin, Electrum, Exodus, Ledger Live, Binance, and others, are subject to theft of wallet.dat, *.json, *.config files containing private keys and seed phrases.

Additionally, the stealer attacks password managers (Bitwarden, NordPass, 1Password), FTP clients (FileZilla, WinSCP), email clients (The Bat!, eM Client, Outlook), VPNs (NordVPN, AzireVPN), and applications such as AnyDesk and Sticky Notes, extracting logins, passwords, and 2FA tokens. Global disk searches target files with keywords like bitcoin, wallet, seed, metamask in the Documents and Recent folders to locate seed phrases and keys.

The configuration supports downloading additional files from external URLs and uses a dictionary of strings for parsing browser data (Login Data, Cookies, key4.db), obfuscation, and adaptation to Windows versions, minimizing detection by antivirus software.

Data Exfiltration

ACR ZIP archive with stolen data in Interactive Sandbox ACR Stealer ZIP archive with stolen data

Data collected by ACR Stealer is sent to the attacker’s server as a ZIP archive. The configuration file usually contains a parameter responsible for downloading an additional executable file from an external resource. However, in the analyzed sample such a download was not performed.

Evolution

It is reported that in new versions of ACR Stealer, the Dead Drop Resolver (DDR) method is used. The malware connects to a legitimate web platform, where a configuration string with the actual C2 server domain is placed on a specific page. The malware retrieves this string, parses it, and obtains the C2 address to proceed with its operations. This approach complicates detection and tracking of the malware.

Previously, ACRStealer used characteristic HTTP request signatures such as:

  • GET domain.com/ujs/uuid
  • POST domain.com/up

However, according to some sources, still newer versions of the malware have abandoned this format, making identification more difficult.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Notable ACR Stealer Attacks

Best known campaigns include a 2025 operation using cracked software to distribute ACR alongside Lumma Stealer, resulting in widespread credential theft since January.

Another involved a fake Google Safety Centre phishing site spreading Latrodectus loader and ACR Stealer, compromising user security globally. In 2024, exploitation of CVE-2024-21412 facilitated delivery of ACR, Lumma, and Meduza stealers, evading Microsoft Defender and affecting numerous endpoints.

Additionally, web inject campaigns via ClearFake deployed Amatera variant, targeting cryptocurrency users with high success in data exfiltration.

Gathering Threat Intelligence on ACR Stealer Malware

Threat intelligence empowers defenders with real-time knowledge of ACR Stealer’s infrastructure, tactics, and IOCs. By enriching alerts with contextual data, security teams can distinguish real threats from noise, respond faster, and block communication with known C2 servers before data exfiltration succeeds.

Start using Threat Intelligence Lookup for free: collect IOCs, browse sandbox detonations.

Start with a malware name search request to ANY.RUN’s Threat Intelligence Lookup and dive deeper into contextual data on ACR Stealer. View public analyses of the malware’s fresh samples, extract the behavioral patterns, gather IOCs from each session.

threatName:"acr" and threatLevel:"malicious"

ACR Stealer samples found via Threat Intelligence Lookup ACR Stealer malware analyses found via Threat Intelligence Lookup

Gather indicators of compromise by clicking the IOCs button in Interactive Sandbox and look them up to find correlating IPs, domains, URLs, and more.

destinationIP:"85.208.139.75"

IP found in ACR Stealer samples delivers more IOCs via Threat Intelligence Lookup Lookup search for an IP found in ACR Stealer samples delivers more IOCs

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

ACR Stealer represents a significant evolution in information-stealing malware, combining sophisticated evasion techniques with comprehensive data harvesting capabilities. Its ability to leverage legitimate platforms for command and control communication, employ advanced anti-analysis techniques, and continuously evolve demonstrates the dynamic nature of modern cyber threats. Organizations must adopt a proactive, multi-layered security approach that combines technical controls, user education, and threat intelligence to effectively defend against ACR Stealer and similar threats.

The rise in ACR Stealer incidents, particularly the dramatic increase observed in 2025, underscores the urgent need for enhanced security awareness and robust defensive measures across all sectors of the digital economy.

Sign up to use ANY.RUN’s TI Lookup for free: gather fresh actionable threat intelligence for quick detection and response.

HAVE A LOOK AT

GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
ValleyRAT screenshot
ValleyRAT
valleyrat
ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More