New ACRStealer Variant Enhances Evasion Techniques and Threat Level

New ACRStealer Variant Enhances Evasion Techniques and Threat Level

First seen 16 Mar 2026, 15:07 UTC GbhackersCybersecuritynews 88% similarity 64.5

Article Content

Browse articles
ThreatCluster

A newly identified variant of ACRStealer is actively being deployed by HijackLoader, utilizing advanced techniques to evade detection and maximize data theft. This variant employs low-level syscall evasion, AFD-based networking, and encrypted TLS communication for command and control (C2). It is a rebranded version of a previously known ACRStealer variant linked to the Amatera Stealer. The attack method allows for flexible secondary payload delivery, increasing its effectiveness against targeted systems. As of March 16, 2026, the threat remains active, with ongoing concerns about its impact on various organizations. Specific numbers of affected systems or data breaches have not been disclosed in the articles. Security professionals are urged to remain vigilant against this evolving threat.

Key Points: • The new ACRStealer variant uses syscall evasion and TLS for C2 communication. • It is deployed by HijackLoader and is a rebranded version of the Amatera Stealer. • The threat is currently active with no specific numbers on affected systems reported.

ThreatCluster AI

Timeline

2025-01-05
First report of ACRStealer variant linked to Amatera Stealer
2026-03-16
New ACRStealer variant reported with enhanced evasion techniques

Community

Browse all →