Find notable cyber news and cases, enriched with sources, timelines, and signals.

ACR Stealer enterprise infostealer surge

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

ACR Stealer attacks surged against enterprise customers, putting browser-stored passwords, authentication tokens, cookies, and sensitive documents at risk. The malware used ClickFix, WebDAV, and MSHTA delivery chains to reach victims. The activity matters because it is built to collect browser credentials and corporate files for exfiltration.

Related Happenings

ACR Stealer browser credential and document theft activity

Malware Activity
H score29 First: 17.07.2026 11:56 Last: 17.07.2026 11:56 Sources 1

How related: Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers.

About this happening: ACR Stealer is driving a surge of browser credential and document theft against enterprise customers. Microsoft said activity climbed from late April to mid-June...

Amadey and StealC MaaS ecosystem and affiliate model

Threat Actor Meta
H score73 First: 24.06.2026 18:59 Last: 24.06.2026 18:59 Sources 1

About this happening: The Amadey and StealC ecosystems now operate as malware-as-a-service (MaaS) offerings, widening access to loader and stealer capabilities for paying customers and affi...

StealC and Amadey infostealer infrastructure disruption

Malware Activity
H score69 First: 24.06.2026 18:25 Last: 24.06.2026 18:25 Sources 1

About this happening: StealC and Amadey malware infrastructure was disrupted in Operation Endgame, cutting off the command-and-control services used to manage infected systems. Europol said...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
H score38 First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The Vidar Stealer campaign is using ClickFix social engineering and compromised WordPress sites to deliver password-stealing malware, widening risk for infrastructur...

Timeline

  1. 18.07.2026 17:17 2 articles · 4h ago

    Microsoft observes a surge of ACR Stealer attacks against enterprise customers

    Initial Disclosure

    Microsoft says ACR Stealer attacks against enterprise customers surged between late April and mid-June, with threat actors using ClickFix, WebDAV servers, and MSHTA to deliver the infostealer. The malware steals browser-stored passwords, authentication tokens, cookies, session data, PDFs, and Microsoft 365 documents, then archives the collected data for exfiltration.

    Show sources