ACR Stealer enterprise infostealer surge
Malware Activity
Summary
Hide ▲
Show ▼
ACR Stealer attacks surged against enterprise customers, putting browser-stored passwords, authentication tokens, cookies, and sensitive documents at risk. The malware used ClickFix, WebDAV, and MSHTA delivery chains to reach victims. The activity matters because it is built to collect browser credentials and corporate files for exfiltration.
Related Happenings
ACR Stealer browser credential and document theft activity
Malware Activity
H score29
First: 17.07.2026 11:56
Last: 17.07.2026 11:56
Sources 1
How related:
Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers.
About this happening:
ACR Stealer is driving a surge of browser credential and document theft against enterprise customers. Microsoft said activity climbed from late April to mid-June...
ACR Stealer browser credential and document theft activity
Malware ActivityHow related: Microsoft has observed a surge in attacks using the ACR Stealer malware to steal browser-stored passwords, authentication tokens, and sensitive documents from its enterprise customers.
About this happening: ACR Stealer is driving a surge of browser credential and document theft against enterprise customers. Microsoft said activity climbed from late April to mid-June...
Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor Meta
H score73
First: 24.06.2026 18:59
Last: 24.06.2026 18:59
Sources 1
About this happening:
The Amadey and StealC ecosystems now operate as malware-as-a-service (MaaS) offerings, widening access to loader and stealer capabilities for paying customers and affi...
Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor MetaAbout this happening: The Amadey and StealC ecosystems now operate as malware-as-a-service (MaaS) offerings, widening access to loader and stealer capabilities for paying customers and affi...
StealC and Amadey infostealer infrastructure disruption
Malware Activity
H score69
First: 24.06.2026 18:25
Last: 24.06.2026 18:25
Sources 1
About this happening:
StealC and Amadey malware infrastructure was disrupted in Operation Endgame, cutting off the command-and-control services used to manage infected systems. Europol said...
StealC and Amadey infostealer infrastructure disruption
Malware ActivityAbout this happening: StealC and Amadey malware infrastructure was disrupted in Operation Endgame, cutting off the command-and-control services used to manage infected systems. Europol said...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
H score38
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The Vidar Stealer campaign is using ClickFix social engineering and compromised WordPress sites to deliver password-stealing malware, widening risk for infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The Vidar Stealer campaign is using ClickFix social engineering and compromised WordPress sites to deliver password-stealing malware, widening risk for infrastructur...
Timeline
-
18.07.2026 17:17 2 articles · 4h ago
Microsoft observes a surge of ACR Stealer attacks against enterprise customers
Initial DisclosureMicrosoft says ACR Stealer attacks against enterprise customers surged between late April and mid-June, with threat actors using ClickFix, WebDAV servers, and MSHTA to deliver the infostealer. The malware steals browser-stored passwords, authentication tokens, cookies, session data, PDFs, and Microsoft 365 documents, then archives the collected data for exfiltration.
Show sources
- Microsoft warns of surge in ACR Stealer attacks on customers — www.bleepingcomputer.com — 18.07.2026 17:17
- Microsoft warns of surge in ACR Stealer attacks on customers — www.bleepingcomputer.com — 18.07.2026 17:17