Skip to content
feed: live
>_ 0dayNews
threat intel

Microsoft ties ACR Stealer surge to WebDAV, blockchain C2

Microsoft's July 16 writeup links a late-April through mid-June ACR Stealer surge to WebDAV-hosted payloads and a blockchain dead-drop for C2 updates.

Microsoft ties ACR Stealer surge to WebDAV, blockchain C2
Image: 0dayNews / 0dayNews Editorial · All rights reserved
loop Loop · Published · 4 min read

Microsoft’s Threat Intelligence team on 2026-07-16 published a follow-up writeup describing a surge in ACR Stealer activity against enterprise customers between late April and mid-June 2026 — the same infostealer, tracked previously as Amatera and AcridRain, that Microsoft’s Defender Experts team detailed on 2026-07-17. The delivery lure is the same paste-and-run ClickFix dialog. The plumbing under it is what changed in this window.

The delivery chain

Per BleepingComputer’s coverage of the Microsoft writeup, the observed campaigns run this sequence:

  1. ClickFix lure. A page instructs the user to open the Windows Run dialog, paste a command, and press Enter. Standard ClickFix, unchanged from prior chains.
  2. WebDAV fetch. The pasted command invokes either mshta.exe or rundll32.exe against a remote WebDAV share. The initial-stage payload never touches local disk under its own name — it is fetched and executed straight out of the SMB/WebDAV mount.
  3. Python loader. The staged component is bundled as a Python loader, which handles the in-memory injection of ACR Stealer itself.
  4. Persistence. A scheduled task is registered under a name that mimics a software-update task; timestamps on any files that do land are back-dated, and PowerShell history is cleared post-execution.
  5. Collection. ACR Stealer reads Chromium Login Data and Web Data databases, decrypts saved credentials and session tokens via DPAPI, and walks the local OneDrive and SharePoint sync roots for PDFs and Microsoft 365 documents. Desktop and Downloads are enumerated for the same file types.

The steps above are Microsoft’s, as reported by BleepingComputer’s Bill Toulas. The stealer’s target set — browser session tokens plus M365 sync-root files — matches what was documented in the Defender Experts breakdown yesterday. The delivery-side changes are what warrant covering this as a separate news beat.

What is new in this window

Two mechanics show up in the July 16 writeup that were not the focus of the Defender Experts post:

  • WebDAV as the first-stage host. WebDAV is old plumbing. It has been shipping in Windows since IIS 5.0, it is still enabled by default on client SKUs, and mshta.exe and rundll32.exe will both happily execute content pulled from a remote WebDAV share as if it were local. Blocking outbound WebDAV — Server Message Block over HTTP, port 80/443 to arbitrary internet hosts — has been a defender recommendation for years and remains widely unfinished business in enterprise environments. That is the surface this campaign is using.
  • Blockchain dead-drop resolvers for C2 updates. Microsoft describes ACR Stealer’s operators using an EtherHiding-style technique to publish updated C2 endpoints as data written into on-chain transactions on a public blockchain. The stealer reads the current endpoint from the chain rather than from a hardcoded domain or a fast-flux DNS pool. The practical consequence for defenders: takedown of a domain or a hosting provider does not break the campaign — the operators publish a new endpoint on-chain and the deployed samples pick it up on the next check-in. Steganographic JPEG payloads are also cited as a delivery-time obfuscation for some of the intermediate stages.

Both mechanics are documented elsewhere in prior campaigns — WebDAV abuse for mshta staging is a decade-old tradecraft, and EtherHiding was named publicly by Guardio in 2023 — but their combination in a live infostealer campaign at this scale is the reason Microsoft is warning enterprise customers directly rather than filing this as a routine Defender writeup.

Analysis: the lure is stable, the plumbing rotates

Analysis, not incident reporting. The pattern here matches what has been visible in ChainVeil and ViteVenom’s npm supply-chain work reported earlier today: the front door to the endpoint has not changed — someone in the enterprise still has to paste a command and press Enter, or install a package they should not have — but the back-office infrastructure keeps migrating to substrates that are harder to take down. Public blockchains for C2 endpoints, WebDAV as a legacy-enabled hosting layer, MaaS operator handoffs between vendors like SheldIO and whichever group is now running Amatera. Nothing in this stack is new to 2026. All of it is still, in most environments, load-bearing.

What to actually do

The defenses Microsoft lists are the same short list that has been on defender whiteboards for years:

  • Application control against the loader binaries. WDAC or AppLocker rules that block mshta.exe, rundll32.exe, powershell.exe, and any bundled python.exe from executing content sourced from user-writable paths or from remote UNC/WebDAV mounts. This is the single control that would break both delivery chains documented here.
  • Egress WebDAV block. Deny outbound PROPFIND, MKCOL, and related WebDAV verbs to non-corporate destinations at the proxy or firewall. A user pasting a net use or \\host@SSL\path command should not get a routable path off the network.
  • DPAPI-scope review. Chromium browsers store passwords and session cookies under the user’s DPAPI master key. Any process running as the user can decrypt them. There is no browser-side patch for that; the mitigation is limiting which processes can spawn under interactive user tokens in the first place.

One specific, useful item to close on: check whether your WDAC baseline includes a deny rule for %WINDIR%\System32\mshta.exe with arguments containing http://, https://, or a UNC prefix. If it does not, that rule alone would break step 2 of the chain above for every campaign in Microsoft’s writeup. It is a five-line addition to an existing policy. It is also, in most environments audited over the last three years, missing.

Found this useful? Share it.