ACR Stealer (Malware Family)

ACR Stealer

VTCollection

First introduced in March 2024, ACR Stealer is an information stealer sold as a Malware-as-a-Service (MaaS) on Russian-speaking cybercrime forums by a threat actor named "SheldIO". Researchers posit that this malware is an evolved version of the GrMsk Stealer, which likely aligns with the private stealer that SheldIO has been selling since July 2023. The malware, written in C++, is compatible with Windows 7 through 10, and the seller manages all command and control (C2) infrastructure. ACR Stealer can harvest system information, stored credentials, web browser cookies, cryptocurrency wallets, and configuration files for various programs. Additionally, it employs the dead drop resolver (DDR) technique to obfuscate the actual C2 infrastructure.

References

2026-03-12 ⋅ Gdata ⋅ John Dador
Endgame Harvesting: Inside ACRStealer’s Modern Infrastructure
ACR Stealer

2026-01-23 ⋅ BlackPoint ⋅ Jack Patrick, Sam Decker
Novel Fake CAPTCHA Chain Delivering Amatera Stealer
ACR Stealer Amatera

2025-12-18 ⋅ Cyderes ⋅ Rahul Ramesh
From Loader to Looter: ACR Stealer Rides on Upgraded CountLoader
ACR Stealer CountLoader

2025-10-16 ⋅ Swisscom B2B CSIRT ⋅ Matthieu Gras, Swisscom B2B CSIRT
Swisscom TDR Intel Brief - Acreed: On-Chain C2 Evolution
ACR Stealer

2025-06-16 ⋅ Proofpoint ⋅ Jeremy Hedges, Proofpoint Threat Research Team, Tommy Madjar
Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
ACR Stealer Amatera

2024-08-08 ⋅ cyble ⋅ Cyble Research Labs
Double Trouble: Latrodectus and ACR Stealer observed spreading via Google Authenticator Phishing Site
ACR Stealer Latrodectus

2024-07-23 ⋅ Fortinet ⋅ Fortinet
Exploiting CVE-2024-21412: A Stealer Campaign Unleashed
ACR Stealer Lumma Stealer Meduza Stealer

2024-04-29 ⋅ Twitter (@sekoia_io) ⋅ sekoia
@sekoia_io's tweet about the (not so) new infostealer, named ACR Stealer
ACR Stealer

Yara Rules

[TLP:WHITE] win_acr_stealer_auto (20260504 | Detects win.acr_stealer.)

rule win_acr_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.acr_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acr_stealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 891481 8b45f8 83c001 8945f8 8b4d08 51 e8???????? }
            // n = 7, score = 600
            //   891481               | mov                 dword ptr [ecx + eax*4], edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   83c001               | add                 eax, 1
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_1 = { 8b55fc 0fb602 8b4df8 0fb611 2bc2 eb16 }
            // n = 6, score = 600
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   0fb602               | movzx               eax, byte ptr [edx]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   0fb611               | movzx               edx, byte ptr [ecx]
            //   2bc2                 | sub                 eax, edx
            //   eb16                 | jmp                 0x18

        $sequence_2 = { 52 8d4508 50 e8???????? 8945d8 8955dc 6a00 }
            // n = 7, score = 600
            //   52                   | push                edx
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx
            //   6a00                 | push                0

        $sequence_3 = { 895510 eb94 33c0 8be5 5d c3 55 }
            // n = 7, score = 600
            //   895510               | mov                 dword ptr [ebp + 0x10], edx
            //   eb94                 | jmp                 0xffffff96
            //   33c0                 | xor                 eax, eax
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_4 = { 83c001 8945e4 8b4de4 3b4df8 7314 }
            // n = 5, score = 600
            //   83c001               | add                 eax, 1
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   3b4df8               | cmp                 ecx, dword ptr [ebp - 8]
            //   7314                 | jae                 0x16

        $sequence_5 = { 8d45e0 50 6803200100 8b4df8 e8???????? 0fb6c8 }
            // n = 6, score = 600
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   6803200100           | push                0x12003
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   0fb6c8               | movzx               ecx, al

        $sequence_6 = { 035508 81fa806cfa0b 7604 33c0 }
            // n = 4, score = 600
            //   035508               | add                 edx, dword ptr [ebp + 8]
            //   81fa806cfa0b         | cmp                 edx, 0xbfa6c80
            //   7604                 | jbe                 6
            //   33c0                 | xor                 eax, eax

        $sequence_7 = { 8b048a 50 e8???????? 83c404 ebc9 8b4dfc }
            // n = 6, score = 600
            //   8b048a               | mov                 eax, dword ptr [edx + ecx*4]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   ebc9                 | jmp                 0xffffffcb
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_8 = { 33c0 8bd1 0fa4f11f d1ea }
            // n = 4, score = 300
            //   33c0                 | xor                 eax, eax
            //   8bd1                 | mov                 edx, ecx
            //   0fa4f11f             | shld                ecx, esi, 0x1f
            //   d1ea                 | shr                 edx, 1

        $sequence_9 = { 0f57c0 6a01 0f1101 68???????? c7411000000000 c7411400000000 e8???????? }
            // n = 7, score = 300
            //   0f57c0               | xorps               xmm0, xmm0
            //   6a01                 | push                1
            //   0f1101               | movups              xmmword ptr [ecx], xmm0
            //   68????????           |                     
            //   c7411000000000       | mov                 dword ptr [ecx + 0x10], 0
            //   c7411400000000       | mov                 dword ptr [ecx + 0x14], 0
            //   e8????????           |                     

        $sequence_10 = { 68???????? 68???????? 6a03 83ec10 }
            // n = 4, score = 300
            //   68????????           |                     
            //   68????????           |                     
            //   6a03                 | push                3
            //   83ec10               | sub                 esp, 0x10

        $sequence_11 = { 5d c3 85f6 747e }
            // n = 4, score = 300
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   85f6                 | test                esi, esi
            //   747e                 | je                  0x80

        $sequence_12 = { 33c5 8945fc 56 8bf1 8b06 0fb600 }
            // n = 6, score = 300
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   0fb600               | movzx               eax, byte ptr [eax]

        $sequence_13 = { 41 03d8 8b849574ffffff d3e0 }
            // n = 4, score = 300
            //   41                   | inc                 ecx
            //   03d8                 | add                 ebx, eax
            //   8b849574ffffff       | mov                 eax, dword ptr [ebp + edx*4 - 0x8c]
            //   d3e0                 | shl                 eax, cl

        $sequence_14 = { 57 8b7e24 0bc7 741e 8bca 8bc7 83c1ff }
            // n = 7, score = 300
            //   57                   | push                edi
            //   8b7e24               | mov                 edi, dword ptr [esi + 0x24]
            //   0bc7                 | or                  eax, edi
            //   741e                 | je                  0x20
            //   8bca                 | mov                 ecx, edx
            //   8bc7                 | mov                 eax, edi
            //   83c1ff               | add                 ecx, -1

        $sequence_15 = { 3c5c 0fb6c8 b82f000000 0f44c8 47 880a }
            // n = 6, score = 300
            //   3c5c                 | cmp                 al, 0x5c
            //   0fb6c8               | movzx               ecx, al
            //   b82f000000           | mov                 eax, 0x2f
            //   0f44c8               | cmove               ecx, eax
            //   47                   | inc                 edi
            //   880a                 | mov                 byte ptr [edx], cl

    condition:
        7 of them and filesize < 2160640
}

Download all Yara Rules

ACR Stealer Propose Change

References

Yara Rules

ACR Stealer