Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1949+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Microsoft Warns of Surge in ACR Stealer Attacks on Enterprise Customers
Microsoft Warns of Surge in ACR Stealer Attacks on Enterprise Customers
NEWS

Microsoft Warns of Surge in ACR Stealer Attacks on Enterprise Customers

Microsoft's threat intelligence team has flagged a significant spike in ACR Stealer campaigns targeting enterprise environments — harvesting browser-stored passwords, authentication tokens, and sensitive documents at scale.

Dylan H.

News Desk

July 18, 2026
3 min read

Microsoft has issued a warning to its customers about a notable surge in attacks using ACR Stealer, a commodity infostealer malware increasingly deployed against enterprise targets. The campaigns are harvesting browser-stored credentials, session tokens, and sensitive documents from compromised machines across a wide range of industries.

What Is ACR Stealer?

ACR Stealer is a widely-available malware-as-a-service (MaaS) infostealer sold on underground forums. It is capable of exfiltrating:

  • Browser credentials — saved passwords from Chrome, Edge, Firefox, and Brave
  • Authentication tokens — cookies and OAuth session tokens granting access to SaaS platforms
  • Cryptocurrency wallets — private keys and seed phrases from browser extensions
  • Sensitive files — documents matching attacker-defined filename patterns
  • System reconnaissance — hardware fingerprints, installed software lists, and screenshots

Its low barrier to entry makes it accessible to low-sophistication actors, but enterprise environments face elevated risk due to the volume of privileged credentials stored in browser profiles used by employees.

Current Attack Campaigns

Microsoft's threat intelligence team observed the surge across multiple delivery vectors:

  • Malvertising — fake software download pages ranking in search results for legitimate tools (VPNs, remote desktop clients, PDF editors)
  • Phishing emails — lure documents with embedded loaders disguised as invoices, shipping notices, and HR communications
  • Cracked software — trojanized installers distributed via torrent sites and grey-market download portals

Once deployed, ACR Stealer typically runs briefly, exfiltrates data to an attacker-controlled C2 server or Telegram bot, and deletes itself — leaving minimal forensic footprint.

Why Enterprise Environments Are High-Value Targets

Employees accessing corporate SaaS platforms (Microsoft 365, Salesforce, GitHub, AWS Console) through standard browsers create a treasure trove for stealers. A single stolen browser profile may contain:

  • Active Microsoft 365 session cookies bypassing MFA
  • GitHub tokens with repository write access
  • Cloud console credentials enabling lateral movement into infrastructure

Threat actors monetize these credentials through direct use, resale on initial access broker (IAB) markets, or downstream ransomware deployment.

Recommended Mitigations

For security teams:

  1. Deploy Credential Guard on Windows endpoints to isolate LSASS and reduce credential exposure.
  2. Enforce Conditional Access policies requiring compliant, managed devices — stolen session tokens from unmanaged machines become less useful.
  3. Enable Microsoft Defender for Endpoint behavioral detection rules targeting browser data access by unsigned processes.
  4. Audit browser-stored credentials — encourage use of enterprise password managers (Keeper, 1Password Business, Bitwarden Teams) instead of browser-native storage.
  5. Monitor for new OAuth token grants from unusual locations or devices — early indicator of cookie reuse attacks.
  6. Block known C2 infrastructure using Microsoft's threat indicator feeds and third-party threat intelligence.

For end users:

  • Never download software from unofficial sources.
  • Be skeptical of search-result ads for popular tools.
  • Use hardware security keys (FIDO2) where possible — they are phishing-resistant and immune to stolen session cookie attacks.

Broader Infostealer Landscape

ACR Stealer's rise mirrors broader infostealer market trends. Redline, Vidar, Lumma, and Raccoon have all seen significant deployment in enterprise-targeting campaigns over the past 18 months. The common thread is credential commoditization — harvested data is sold quickly, enabling rapid follow-on intrusions by separate threat actors.

Microsoft's warning signals that ACR Stealer has matured from a hobbyist tool into a mainstream enterprise threat. Organizations should treat it with the same urgency as more sophisticated APT tooling.

References

  • Microsoft Security Blog
  • BleepingComputer: Microsoft warns of surge in ACR Stealer attacks
#Malware#Microsoft#Infostealer#ACR Stealer#Enterprise Security

Related Articles

In a First, a Court Takedown Goes After Two Cybercrime Tools at Once

Microsoft and Europol dismantled both StealC and Amadey simultaneously in a single RICO filing — the first time a court-authorized takedown has targeted...

4 min read

Amadey and StealC Malware Networks Disrupted, 27 Million Stolen Credentials Recovered

A coordinated law enforcement operation backed by Bitdefender, Bitsight, ESET, and Microsoft has dismantled the infrastructure powering Amadey and StealC,...

4 min read

ClickLock: New macOS Infostealer Kills Apps Every 210ms to Force Password Entry

Group-IB researchers discovered ClickLock, a new macOS infostealer distributed via ClickFix lures that terminates all visible system processes in a loop until the victim surrenders their login password — with zero AV detections at discovery.

5 min read
Back to all News