Microsoft has warned its customers of a spike in ACR Stealer infections, an infostealer malware family being used to harvest credentials, cookies, and stored payment data from infected machines. The alert comes directly from Microsoft, meaning this isn't a third-party researcher flagging a trend — it's the vendor telling its own installed base they're actively being targeted. Infostealers like ACR are the quiet workhorse of modern intrusion: they don't ransom anything, they don't announce themselves, they just sit on an endpoint and exfiltrate whatever session tokens, saved browser passwords, and autofill data they can find. That harvested data then gets sold or handed off to a second-stage actor — a ransomware crew, a business-email-compromise operator, an initial access broker — who does the actual damage weeks later using credentials that look completely legitimate because they are. The pattern with stealer surges is almost always the same: a spike in stealer telemetry today predicts a spike in