Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 3 actors

ACR Stealer

ACR Stealer is a malware-as-a-service (MaaS) information stealer written in C++ and active since 2024. It is described as a credential and data theft infostealer and has been linked to the SideCopy threat group. Reported theft capabilities include browser credentials, passwords, cookies, session tokens, sensitive files, system information, clipboard contents, installed antivirus details, and cryptocurrency wallet data. MS-ISAC reporting states it uses HTTP and TCP for command-and-control and can establish persistence via AutoRun registry keys or the Startup folder, depending on the host environment.

The malware has been observed as a final payload in multiple delivery chains and campaigns. Recent reporting ties it to ClearFake drive-by and fake CAPTCHA/paste-and-run campaigns, fake Claude/Claude Code installation pages promoted through Google Ads malvertising, cracked software and pirated game distribution chains, and RenEngine/HijackLoader-based infections delivered through trojanized Ren'Py launchers. It has also been referenced as a payload delivered through crypters and loaders including Hijack Loader and RenEngine Loader. One analyzed fake Claude infection chain involved fairpoint29.com, primemetricsa.com, a creativecommunityinfo.art subdomain, and post-infection traffic assessed as ACR Stealer-related.

The malware is also associated with the ACR Stealer-based Amatera MaaS platform, which is described as being based on ACR Stealer and sold as a subscription service. Reporting further notes ACR Stealer-related naming in darknet marketplace activity, including payload names such as acr-arab, acr-karma, and acr-xyphos, matching a product sold by SheldIO on the RAMP forum.

Observed targeting and victimology in related campaigns include broad opportunistic infections affecting Windows users, including users seeking pirated games, cracked applications, and fake software installers. Reported geographic impact in associated campaigns includes India, the United States, Brazil, Russia, Spain, Turkey, and Germany. High-confidence indicators directly mentioned in the content include SHA256 70b5ecc110e074dbca92932c0e840ea3492ea0a43c3f215b71392c12b02213b2, a14c3ecf5eb3d2543358482e43dc765dbf9ee7a4bec7571f5ecb8829ca719692, and 47fa746422f1bf6b7712dc6803378e6a995488007193a7441d790f70d204728f; domains and URLs fairpoint29.com, primemetricsa.com/1518925, 6ryuefl.creativecommunityinfo.art, and i.ibb.co/Xx16sbMz/init-block.jpg; and the detection name Trojan-PSW.Win32.ACRstealer.gen.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
ClearFake

ACR Stealer, a malware-as-a-service (MaaS) information stealer written in C++ that has been active since 2024, makes its debut in a tie for 6th thanks to its use as a payload in recent ClearFake campaigns.

via red canary blogredcanary.com
SheldIO

The top buyer @dearswa placed 24 orders for payloads named acr-arab , acr-karma , and acr-xyphos . The acr-* naming convention directly matches ACR Stealer , a Malware-as-a-Service product sold by SheldIO on the RAMP darknet forum.

via breakglass intelintel.breakglass.tech
SideCopy

ACR Stealer is a credential and data theft infostealer written in C++ and used by the SideCopy threat group.

via cisecurity blog msisca and eiisaccisecurity.org
MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583Acquire InfrastructureEvidence1

I've reliably found these sites through malicious ads in Google searches that lead to these pages, often concealed in URLs for sites.google[.]com

Initial Access

2 techniques
T1189Drive-by CompromiseEvidence3

Proofpoint observed Amatera Stealer distributed via ClearFake website injects in April and May 2025. ClearFake is a web inject activity cluster that compromises legitimate websites with malicious HTML and JavaScript.

T1195.002Compromise Software Supply ChainEvidence2

"malware distribution under the guise of game cheats and pirated software... distributing pirated games infected with... RenEngine, which was delivered... using a modified version of a Ren’Py engine-based game launcher."

Execution

2 techniques
T1059.001PowerShellEvidence1

Follow-up download, PowerShell script: SHA256 hash: a14c3ecf5eb3d2543358482e43dc765dbf9ee7a4bec7571f5ecb8829ca719692

T1204User ExecutionEvidence4

often using fake CAPTCHA lures to trick users into executing code via malicious copy and paste (paste and run, ClickFix, fakeCAPTCHA)

Privilege Escalation

1 technique
T1055Process InjectionEvidence2

"...HijackLoader leverages process doppelganging before launching ACR Stealer..."

Stealth

2 techniques
T1036MasqueradingEvidence1

Web page impersonating Claude with a button to "Download for Windows."

T1055Process InjectionEvidence2

"...HijackLoader leverages process doppelganging before launching ACR Stealer..."

Credential Access

2 techniques
T1555Credentials from Password StoresEvidence3

The latter, like many stealers these days, is interested in browser data and wallets.

T1555.003Credentials from Web BrowsersEvidence2

MITRE ATT&CK: T1555.003 -- Credentials from Password Stores: Web Browsers ... The embedded Payload.exe is a native C++ x64 credential stealer targeting: Google Chrome ... Microsoft Edge ... Brave Browser

Discovery

1 technique
T1082System Information DiscoveryEvidence2

"... as well as system information"

Collection

1 technique
T1115Clipboard DataEvidence1

"...exfiltration of ... clipboard contents..."

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence1

Based on the C2 domain for post-infection traffic, this appears to be an infection for ACR Stealer... Domain for post-infection HTTPS traffic to C2 server

T1105Ingress Tool TransferEvidence1

What is interesting here is that instead of stealing data, Vidar actually downloads the ACR stealer.

T1568Dynamic ResolutionEvidence1

The malware author appears to directly connect to a hardcoded C2 instead of the previously seen C2 method utilizing intermediary dead-drop resolvers such as Steam, Telegram, or Google Docs.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

"...facilitates the exfiltration of browser credentials and cookies, system details and clipboard contents, and cryptocurrency wallet information..."

INDICATORS OF COMPROMISE

IOCs tracked for this family

6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
6 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app4 months ago
ip.v4●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app
sans iscNews
May 26, 2026
Possible ACR Stealer From Page Impersonating Claude

Information-stealing malware identified from post-infection C2 traffic associated with a fake Claude download page delivering Windows malware.

Read more
scworldNews
Mar 10, 2026
Amatera infostealer deployed via phony Claude Code guides | brief | SC Media

Stealer family referenced as the codebase/basis for the Amatera MaaS infostealer.

Read more
bleeping computerNews
Mar 6, 2026
Fake Claude Code install guides push infostealers in InstallFix attacks

Referenced as the apparent codebase Amatera Stealer is believed to be derived from; described as a stealer offered to criminals via a subscription/MaaS model.

Read more
breakglass intelNews
Mar 5, 2026
Cracking a Predictable DGA: Inside a 16,000-Bot PPI Operation Running on admin:admin123 - Breakglass Intelligence - Breakglass Intelligence

Credential-stealing malware sold as a Malware-as-a-Service offering and deployed through this PPI botnet by one of the buyers.

Read more
+10 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching6

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.