SheldIO
SheldIO is a cybercriminal threat actor associated with the sale and marketing of ACR Stealer (AcridRain) and its successor/rebrand Amatera Stealer as Malware-as-a-Service (MaaS). The actor is explicitly described as selling Amatera Stealer on Telegram and previously marketing ACR Stealer on underground forums, including the RAMP darknet forum. Amatera is described as a rebranded version of ACR Stealer and, in later reporting, as lineage malware descending from ACR Stealer through GrMsk Stealer. Reporting links SheldIO to the Russian-speaking MaaS ecosystem. The malware associated with SheldIO is an information stealer focused on credential theft, browser data, cryptocurrency wallets, messaging data, password manager material, and sensitive files. Observed Amatera capabilities include in-memory execution via multi-stage PowerShell or fileless loader chains, reflective loading, string encryption, direct or indirect syscall-based evasion including RecycledGate/FreshyCalls-style syscall resolution, anti-debugging, anti-analysis checks, geofencing for Ukrainian keyboard layouts and Kaspersky-related environments, and encrypted command-and-control communications. Reported theft scope includes browser credentials and cookies, wallet browser extensions, desktop cryptocurrency wallets, Discord and Signal data, password manager files, FTP credentials, email service tokens, system fingerprinting data, and file collection from victim Downloads directories. Known aliases and related names directly mentioned in the content include SheldIO, ACR Stealer, AcridRain Stealer, and Amatera Stealer. The content does not provide high-confidence evidence of nation-state affiliation.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Financial Services
Tradecraft
6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Observables
48 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated with marketing ACR (AcridRain) Stealer as a Malware-as-a-Service offering; the content links SheldIO to the earlier branding of the Amatera Stealer malware family.
Operates and sells the Amatera MaaS infostealer on Telegram. Amatera is positioned as a Lumma successor and is used in the InstallFix malvertising campaign to steal browser credentials, cookies, session tokens, cryptocurrency wallets, messaging sessions, password manager data, FTP/email tokens, and system fingerprinting data.
Malware-as-a-Service seller associated with ACR Stealer on the RAMP forum; referenced as part of the ecosystem supplying payloads to the duboki PPI operation.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.