Jun 14, 2026
C2 Hosts: 2
ACR Stealer
First introduced in March 2024, ACR Stealer is an information stealer sold as a Malware-as-a-Service (MaaS) on Russian-speaking cybercrime forums by a threat actor named "SheldIO". Researchers posit that this malware is an evolved version of the GrMsk Stealer, which likely aligns with the private stealer that SheldIO has been selling since July 2023. The malware, written in C++, is compatible with Windows 7 through 10, and the seller manages all command and control (C2) infrastructure. ACR Stealer can harvest system information, stored credentials, web browser cookies, cryptocurrency wallets, and configuration files for various programs. Additionally, it employs the dead drop resolver (DDR) technique to obfuscate the actual C2 infrastructure.
C2 Infrastructure
Hosting/VPS 100%
Last 7 days
| Date | C2 Hosts |
|---|---|
| Jun 14, 2026 | 2 |
Further Reading
Novel Fake CAPTCHA Chain Delivering Amatera Stealer opens in a new tab
Blackpoint's SOC uncovers a sophisticated Fake CAPTCHA campaign delivering Amatera Stealer through signed Microsoft scripts, steganography, and layered evasion.
blackpointcyber.com
From Loader to Looter: ACR Stealer Rides on Upgraded CountLoader opens in a new tab
Discover how the latest CountLoader variant facilitates a multistage malware attack, culminating in the deployment of the ACR Stealer for credential theft.
cyderes.com