Back to Intelligence

Defending Against the Surge in ACR Stealer Attacks: Detection and Incident Response

SA
Security Arsenal Team
July 18, 2026
5 min read

Microsoft has issued a critical warning regarding a significant surge in attacks leveraging the "ACR Stealer" malware against enterprise customers. This information-stealing campaign represents a tangible threat to corporate identity infrastructure. By targeting browser-stored passwords, authentication cookies, and sensitive documents, ACR Stealer facilitates initial access hijacking and lateral movement. Unlike legacy malware focused on persistence, this threat aims for rapid data exfiltration to monetize valid credentials immediately. Defenders must prioritize the detection of anomalous browser data access and immediate session revocation to contain the impact.

Technical Analysis

Threat Type: Information Stealer (Infostealer) Target: Windows-based enterprise endpoints Primary Vector: Phishing campaigns, malicious attachments, or deceptive software downloads leading to executable execution.

Attack Mechanics

ACR Stealer operates as a standard infostealer with a focus on popular web browsers (Chrome, Edge, Firefox) and cryptocurrency wallets. Upon execution, the malware typically performs the following:

  1. Discovery: Queries the file system for specific browser directories (e.g., \Users\<user>\AppData\Local\Google\Chrome\User Data\Default\).
  2. Extraction: Locates and decrypts SQLite database files such as Login Data (credentials) and Cookies (session tokens).
  3. Data Theft: Scans the user's file system for sensitive document extensions (e.g., .pdf, .docx, .txt) often found in Documents and Desktop folders.
  4. Exfiltration: Transmits the stolen archives to an attacker-controlled Command and Control (C2) server via HTTPS.

Exploitation Status: Confirmed active exploitation. Microsoft telemetry indicates a spike in enterprise detections, suggesting the threat actors have successfully bypassed basic email filtering and are evading detection via process masquerading or obfuscation.

Detection & Response

Sigma Rules

YAML
---
title: Potential Browser Credential Theft via Non-Browser Process
id: 8f4d9a12-1c3e-4b5a-9f6d-7e8c9a0b1c2d
status: experimental
description: Detects non-browser processes accessing browser credential databases (Login Data), a common behavior of stealers like ACR.
references:
  - https://attack.mitre.org/techniques/T1555/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1555.003
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\Login Data'
      - '\Microsoft\Edge\User Data\Default\Login Data'
      - '\Mozilla\Firefox\Profiles\logins.'
  filter:
    Image|contains:
      - 'chrome.exe'
      - 'msedge.exe'
      - 'firefox.exe'
  condition: selection and not filter
falsepositives:
  - Legitimate backup software or security scanners accessing browser data
level: high
---
title: Suspicious Process Executing from User AppData Roaming
id: 9e5e0b23-2d4f-5c6b-0a7e-8f9d1a2b3c4e
status: experimental
description: Detects execution of unsigned binaries from the user's Roaming AppData directory, a common drop location for ACR Stealer payloads.
references:
  - https://attack.mitre.org/techniques/T1547/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains: '\AppData\Roaming\'
    Image|endswith: '.exe'
  filter:
    Image|contains:
      - '\Microsoft\Windows\Start Menu\Programs\Startup'
      - '\Google\Chrome\Application'
      - '\Microsoft\Edge\Application'
      - '\Mozilla Firefox'
  condition: selection and not filter
falsepositives:
  - Legitimate software installers or updates located in user profile
level: medium
---
title: PowerShell Suspicious Download String Common in Stealer Loaders
id: a1f2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects PowerShell commands often used in downloaders to fetch infostealer payloads like ACR.
references:
  - https://attack.mitre.org/techniques/T1059.001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'IEX'
      - 'DownloadString'
  condition: selection
falsepositives:
  - Administrative scripts
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for processes accessing sensitive browser files
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName in~ ("Login Data", "Cookies", "Web Data")
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "opera.exe")
| extend DeviceCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ActionType

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious executables in user AppData/Roaming created recently
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='C:/Users/*/AppData/Roaming/*/*.exe')
WHERE Mtime > now() - 7days
  AND NOT IsDir
  AND Mode =~ "rwx"

-- Hunt for processes accessing Chrome Login Data
SELECT Name, Pid, UserName, Cmdline
FROM pslist()
WHERE Cmdline =~ 'Chrome\\User Data\\Default\\Login Data'
   AND NOT Name =~ 'chrome.exe'

Remediation Script (PowerShell)

PowerShell
# ACR Stealer Response Script
# Requires Administrator privileges

Write-Host "Starting ACR Stealer containment process..." -ForegroundColor Cyan

# 1. Identify common user paths for suspicious executables (AppData/Roaming and AppData/Local)
$suspiciousPaths = @(
    "$env:APPDATA\*.exe",
    "$env:LOCALAPPDATA\Temp\*.exe"
)

Write-Host "Scanning for recently created executables in user profiles..." -ForegroundColor Yellow
# Note: In a real IR scenario, hash verification against threat intelligence is preferred before deletion.
# This script lists potential artifacts for manual review.

Get-ChildItem -Path $env:APPDATA -Filter *.exe -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
Select-Object FullName, LastWriteTime, Length

# 2. Check for persistence in Run Keys
Write-Host "Checking Registry Run Keys for suspicious persistence..." -ForegroundColor Yellow
$runPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

foreach ($path in $runPaths) {
    if (Test-Path $path) {
        Get-ItemProperty -Path $path | 
        Get-Member -MemberType NoteProperty | 
        Where-Object { $_.Name -notlike "PS*" } | 
        ForEach-Object { 
            $propName = $_.Name
            $propValue = (Get-ItemProperty -Path $path).$propName
            Write-Host "Key: $path | Value: $propName | Data: $propValue" -ForegroundColor White
        }
    }
}

Write-Host "Remediation script complete. Analyze output and verify hashes before deletion." -ForegroundColor Green

Remediation

  1. Immediate Isolation: Isolate affected endpoints from the network immediately upon detection to prevent further C2 communication or lateral movement.
  2. Credential Reset: Assume all browser-stored credentials and session tokens on the infected host are compromised. Force a password reset for the affected user's corporate account and any personal accounts used for work (e.g., SSO, banking).
  3. Token Revocation: Revoke all active OAuth tokens and sessions for the affected user from the Identity Provider (IdP) portal (e.g., Entra ID, Okta).
  4. Artifact Removal:
    • Delete the malicious payload executable (often located in %APPDATA% or %TEMP%).
    • Remove any persistence mechanisms established in the Windows Registry Run keys or Startup folders.
  5. Browser Hygiene: Instruct users to clear all browsing data (cookies, cache, saved passwords) on the affected machine post-sanitization.
  6. Hunt for Scope: Expand the search to other systems on the same subnet to determine if lateral movement occurred prior to isolation.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionacr-stealerinfostealercredential-theftmicrosoft-defenderbrowser-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.