Microsoft has issued a warning to its customers about a notable surge in attacks using ACR Stealer, a commodity infostealer malware increasingly deployed against enterprise targets. The campaigns are harvesting browser-stored credentials, session tokens, and sensitive documents from compromised machines across a wide range of industries.
What Is ACR Stealer?
ACR Stealer is a widely-available malware-as-a-service (MaaS) infostealer sold on underground forums. It is capable of exfiltrating:
- Browser credentials — saved passwords from Chrome, Edge, Firefox, and Brave
- Authentication tokens — cookies and OAuth session tokens granting access to SaaS platforms
- Cryptocurrency wallets — private keys and seed phrases from browser extensions
- Sensitive files — documents matching attacker-defined filename patterns
- System reconnaissance — hardware fingerprints, installed software lists, and screenshots
Its low barrier to entry makes it accessible to low-sophistication actors, but enterprise environments face elevated risk due to the volume of privileged credentials stored in browser profiles used by employees.
Current Attack Campaigns
Microsoft's threat intelligence team observed the surge across multiple delivery vectors:
- Malvertising — fake software download pages ranking in search results for legitimate tools (VPNs, remote desktop clients, PDF editors)
- Phishing emails — lure documents with embedded loaders disguised as invoices, shipping notices, and HR communications
- Cracked software — trojanized installers distributed via torrent sites and grey-market download portals
Once deployed, ACR Stealer typically runs briefly, exfiltrates data to an attacker-controlled C2 server or Telegram bot, and deletes itself — leaving minimal forensic footprint.
Why Enterprise Environments Are High-Value Targets
Employees accessing corporate SaaS platforms (Microsoft 365, Salesforce, GitHub, AWS Console) through standard browsers create a treasure trove for stealers. A single stolen browser profile may contain:
- Active Microsoft 365 session cookies bypassing MFA
- GitHub tokens with repository write access
- Cloud console credentials enabling lateral movement into infrastructure
Threat actors monetize these credentials through direct use, resale on initial access broker (IAB) markets, or downstream ransomware deployment.
Recommended Mitigations
For security teams:
- Deploy Credential Guard on Windows endpoints to isolate LSASS and reduce credential exposure.
- Enforce Conditional Access policies requiring compliant, managed devices — stolen session tokens from unmanaged machines become less useful.
- Enable Microsoft Defender for Endpoint behavioral detection rules targeting browser data access by unsigned processes.
- Audit browser-stored credentials — encourage use of enterprise password managers (Keeper, 1Password Business, Bitwarden Teams) instead of browser-native storage.
- Monitor for new OAuth token grants from unusual locations or devices — early indicator of cookie reuse attacks.
- Block known C2 infrastructure using Microsoft's threat indicator feeds and third-party threat intelligence.
For end users:
- Never download software from unofficial sources.
- Be skeptical of search-result ads for popular tools.
- Use hardware security keys (FIDO2) where possible — they are phishing-resistant and immune to stolen session cookie attacks.
Broader Infostealer Landscape
ACR Stealer's rise mirrors broader infostealer market trends. Redline, Vidar, Lumma, and Raccoon have all seen significant deployment in enterprise-targeting campaigns over the past 18 months. The common thread is credential commoditization — harvested data is sold quickly, enabling rapid follow-on intrusions by separate threat actors.
Microsoft's warning signals that ACR Stealer has matured from a hobbyist tool into a mainstream enterprise threat. Organizations should treat it with the same urgency as more sophisticated APT tooling.