Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

ACR Stealer

150
Global rank
119 infographic chevron month
Month rank
160 infographic chevron week
Week rank
0
IOCs

ACR Stealer is a modern information-stealing malware designed to harvest sensitive data from infected devices. Like other infostealers, it targets credentials, financial details, browser data, and files, enabling cybercriminals to monetize stolen information through direct fraud or underground market sales.

Stealer
Type
Unknown
Origin
1 March, 2024
First seen
2 September, 2025
Last seen

How to analyze ACR Stealer with ANY.RUN

Type
Unknown
Origin
1 March, 2024
First seen
2 September, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
ANY.RYN x IBM QRadar SIEM: Real-Time Intellig...
watchers 174
comments 0
post image
Release Notes: Fresh Connectors, SDK Update,...
watchers 1675
comments 0
post image
Streamline Your SOC: All-in-One Threat Detect...
watchers 1307
comments 0

What is ACR Stealer?

ACR Stealer is a sophisticated information-stealing software sold as a Malware-as-a-Service (MaaS) on underground forums, primarily targeting credentials, browser data, and cryptocurrency wallets to facilitate identity theft and financial fraud.

It is lightweight, fast, and capable of exfiltrating a broad spectrum of data types, including login credentials, cryptocurrency wallet information, and system fingerprints. Its developers continuously update the malware to bypass traditional defenses, making it a persistent threat in the cybercrime ecosystem. According to Stamus Networks, ACR Stealer is an evolved version of GrMsk Stealer, which had been privately sold by the threat actor SheldIO since around July 2023. In 2025, Proofpoint researchers confirmed that ACR Stealer was significantly updated and rebranded as Amatera Stealer. Key enhancements included improved anti-analysis features and a shift away from previously used C2 mechanisms like Steam/Telegram dead drops.

ACR Stealer operates by injecting itself into system processes to avoid detection, then systematically scans the endpoint for valuable data. It uses encryption to obfuscate stolen information before exfiltrating it to C2 servers, sometimes leveraging unconventional platforms like Google Docs for command retrieval. The malware employs dead drop resolvers for dynamic C2 resolution, enhancing its resilience against takedowns. Variants like Amatera introduce advanced string obfuscation and virtual machine checks to evade sandboxes and antivirus software.

ACR Stealer commonly spreads through:

  • Phishing emails with malicious attachments or links.
  • Malvertising that redirects users to fake software downloads.
  • Cracked software and trojanized applications shared on forums or torrents.
  • Drive-by downloads from compromised websites.

While primarily single-device malware, once credentials are stolen, attackers often use them to move laterally within corporate networks.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

ACR Stealer Malware Victimology

ACR Stealer targets a broad spectrum of victims, with no specific industry or demographic limitation. The malware's distribution methods suggest that it primarily affects:

  • Individual users seeking cracked software or illegitimate downloads
  • Organizations whose employees fall victim to social engineering tactics
  • Users of popular platforms like Steam, where the malware leverages community features for C2 communication
  • Cryptocurrency enthusiasts and traders, given its specific focus on wallet theft
  • Users of mainstream web browsers who store sensitive credentials and financial information

The distribution trend of ACR Stealer from June 2024 to February 2025 indicates a dramatic rise in 2025, suggesting an expanding victim base and increased threat actor adoption of this malware family.

ACR Stealer Technical Analysis and Attack Example

Let’s observe an ACR Stealer typical attack chain on a sample analyzed in ANY.RUN’s Interactive Sandbox.

View analysis

ACR Stealer analysis in Interactive Sandbox ACR Stealer sample analysis in the Interactive Sandbox

HTTP Requests and Encryption

An interesting feature of ACR Stealer is that HTTP packet headers may use legitimate domains such as microsoft.com, although the packets are sent to IP addresses not associated with these domains.

ACR HTTP requests seen in Interactive Sandbox ACR HTTP requests seen in Interactive Sandbox

In the first response to an HTTP request, there is a large Base64-encoded string of 32 KB. When attempting to decode it, it turns out to be additionally encrypted using an XOR operation. After decryption, it produces a large configuration file, which is a key component of ACR Stealer’s operation.

Configuration File

The ACR Stealer configuration file is a structured JSON-like object that manages data theft in the Windows environment. It defines the targets and parameters for collecting sensitive information, ensuring flexibility and stealth of the malware.

The stealer targets data from numerous browsers, including Google Chrome, Microsoft Edge, Opera, Firefox, Brave, Vivaldi, and lesser-known ones such as CocCoc, 360Browser, and K-Meleon. It extracts cookies, passwords, browsing history, autofill data, credit card details, and extensions, many of which are cryptocurrency wallets (MetaMask, Coinbase Wallet), password managers, and censorship bypass tools.

Messengers such as Telegram, WhatsApp, Signal, Tox, and Psi+ are targeted for theft of session keys, chats, and contacts via files such as *.sqlite or accounts.xml located in %AppData% directories. Cryptocurrency wallets, including Bitcoin, Electrum, Exodus, Ledger Live, Binance, and others, are subject to theft of wallet.dat, *.json, *.config files containing private keys and seed phrases.

Additionally, the stealer attacks password managers (Bitwarden, NordPass, 1Password), FTP clients (FileZilla, WinSCP), email clients (The Bat!, eM Client, Outlook), VPNs (NordVPN, AzireVPN), and applications such as AnyDesk and Sticky Notes, extracting logins, passwords, and 2FA tokens. Global disk searches target files with keywords like bitcoin, wallet, seed, metamask in the Documents and Recent folders to locate seed phrases and keys.

The configuration supports downloading additional files from external URLs and uses a dictionary of strings for parsing browser data (Login Data, Cookies, key4.db), obfuscation, and adaptation to Windows versions, minimizing detection by antivirus software.

Data Exfiltration

ACR ZIP archive with stolen data in Interactive Sandbox ACR Stealer ZIP archive with stolen data

Data collected by ACR Stealer is sent to the attacker’s server as a ZIP archive. The configuration file usually contains a parameter responsible for downloading an additional executable file from an external resource. However, in the analyzed sample such a download was not performed.

Evolution

It is reported that in new versions of ACR Stealer, the Dead Drop Resolver (DDR) method is used. The malware connects to a legitimate web platform, where a configuration string with the actual C2 server domain is placed on a specific page. The malware retrieves this string, parses it, and obtains the C2 address to proceed with its operations. This approach complicates detection and tracking of the malware.

Previously, ACRStealer used characteristic HTTP request signatures such as:

  • GET domain.com/ujs/uuid
  • POST domain.com/up

However, according to some sources, still newer versions of the malware have abandoned this format, making identification more difficult.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Notable ACR Stealer Attacks

Best known campaigns include a 2025 operation using cracked software to distribute ACR alongside Lumma Stealer, resulting in widespread credential theft since January.

Another involved a fake Google Safety Centre phishing site spreading Latrodectus loader and ACR Stealer, compromising user security globally. In 2024, exploitation of CVE-2024-21412 facilitated delivery of ACR, Lumma, and Meduza stealers, evading Microsoft Defender and affecting numerous endpoints.

Additionally, web inject campaigns via ClearFake deployed Amatera variant, targeting cryptocurrency users with high success in data exfiltration.

Gathering Threat Intelligence on ACR Stealer Malware

Threat intelligence empowers defenders with real-time knowledge of ACR Stealer’s infrastructure, tactics, and IOCs. By enriching alerts with contextual data, security teams can distinguish real threats from noise, respond faster, and block communication with known C2 servers before data exfiltration succeeds.

Start using Threat Intelligence Lookup for free: collect IOCs, browse sandbox detonations.

Start with a malware name search request to ANY.RUN’s Threat Intelligence Lookup and dive deeper into contextual data on ACR Stealer. View public analyses of the malware’s fresh samples, extract the behavioral patterns, gather IOCs from each session.

threatName:"acr" and threatLevel:"malicious"

ACR Stealer samples found via Threat Intelligence Lookup ACR Stealer malware analyses found via Threat Intelligence Lookup

Gather indicators of compromise by clicking the IOCs button in Interactive Sandbox and look them up to find correlating IPs, domains, URLs, and more.

destinationIP:"85.208.139.75"

IP found in ACR Stealer samples delivers more IOCs via Threat Intelligence Lookup Lookup search for an IP found in ACR Stealer samples delivers more IOCs

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

ACR Stealer represents a significant evolution in information-stealing malware, combining sophisticated evasion techniques with comprehensive data harvesting capabilities. Its ability to leverage legitimate platforms for command and control communication, employ advanced anti-analysis techniques, and continuously evolve demonstrates the dynamic nature of modern cyber threats. Organizations must adopt a proactive, multi-layered security approach that combines technical controls, user education, and threat intelligence to effectively defend against ACR Stealer and similar threats.

The rise in ACR Stealer incidents, particularly the dramatic increase observed in 2025, underscores the urgent need for enhanced security awareness and robust defensive measures across all sectors of the digital economy.

Sign up to use ANY.RUN’s TI Lookup for free: gather fresh actionable threat intelligence for quick detection and response.

HAVE A LOOK AT

DragonForce screenshot
DragonForce
dragonforce
DragonForce is a ransomware strain operating under the Ransomware-as-a-Service (RaaS) model. First reported in December 2023, it encrypts files with ChaCha8, renames them with random strings, and appends “.dragonforce_encrypted.” By disabling backups, wiping recovery, and spreading across SMB shares, DragonForce maximizes damage and pressures victims into multimillion-dollar ransom negotiations. It has targeted manufacturing, construction, IT, healthcare, and retail sectors worldwide, making it a severe threat to modern enterprises.
Read More
EvilProxy screenshot
EvilProxy
evilproxy
EvilProxy is a phishing-as-a-service (PhaaS) platform that enables cybercriminals to bypass multi-factor authentication (MFA) and hijack user sessions. It leverages reverse proxy techniques to harvest credentials and session cookies, posing a serious threat to both individuals and enterprises.
Read More
Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
Mamba 2FA screenshot
Mamba 2FA
mamba
Mamba 2FA is an advanced phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) and target Microsoft 365 accounts. It focuses on intercepting authentication flows in real-time and enables threat actors to hijack user sessions and access sensitive systems even when additional security measures are in place.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
DarkCloud screenshot
DarkCloud
darkcloud
DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.
Read More