ACR Stealer Campaigns: ClickFix Threats Rise
Summary
Microsoft reports increased ACR Stealer activity targeting enterprises through ClickFix social engineering, with two intrusion chains using WebDAV, Python loaders, MSHTA, obfuscated PowerShell, and steganography. The campaigns focus on stealing browser credentials, session tokens, and sensitive documents, making early detection and user awareness critical for defenders.
Introduction
Microsoft has published new research on a rise in ACR Stealer activity observed from late April to mid-June 2026. For IT and security teams, this matters because the malware is designed to steal browser credentials, authentication tokens, and enterprise documents that can lead to account compromise and broader cloud intrusion.
What’s new
Microsoft Defender Experts highlighted two prevalent ACR Stealer intrusion chains, both starting with ClickFix social engineering that tricks users into running attacker-supplied commands.
Campaign 1: WebDAV, Python loaders, and blockchain-backed C2
- Uses ClickFix prompts likely delivered through malvertising or manipulated search results.
- Launches cmd.exe and rundll32.exe to load a DLL from a remote WebDAV share over HTTPS.
- In some variants, uses pushd to map the remote WebDAV path as a local drive and conhost.exe --headless to reduce visibility.
- Runs heavily obfuscated PowerShell to download and install additional payloads.
- Deploys a bundled pythonw.exe loader, creates scheduled task persistence, and copies trusted file timestamps to reduce forensic visibility.
- In some cases, resolves command-and-control using blockchain dead-drop infrastructure.
Campaign 2: MSHTA, PowerShell, and steganography
- Takes a more fileless approach.
- Uses MSHTA to initiate execution.
- Relies on obfuscated PowerShell and steganography-assisted in-memory payload delivery.
- Still ends with the same objective: stealing credentials and sensitive enterprise data.
Impact on administrators
The biggest risk is not just credential theft, but what comes next. Stolen browser passwords, cookies, and session tokens can enable unauthorized access to Microsoft 365, cloud apps, and internal resources. Microsoft also notes that the malware targets files such as PDFs, Microsoft 365 documents, and content in OneDrive and SharePoint-synced folders.
Defender for Endpoint can help detect behaviors tied to these campaigns, including:
- Suspicious WebDAV and MSHTA activity
- Obfuscated PowerShell execution
- Scheduled task persistence
- In-memory payload execution
- Attempts to access browser credential stores
Recommended next steps
- Educate users to avoid ClickFix-style prompts that ask them to run commands.
- Hunt for rundll32, MSHTA, and PowerShell launched from unusual parent processes.
- Monitor for WebDAV connections, especially GUID-like paths and suspicious remote shares.
- Review endpoints for hidden or disguised scheduled tasks.
- Validate Defender detections for browser credential theft and living-off-the-land activity.
- Investigate access to sensitive files in OneDrive and SharePoint synced directories.
Organizations should treat the indicators and techniques in Microsoft’s report as representative of a broader and still-evolving ACR Stealer threat landscape.
Need help with Security?
Our experts can help you implement and optimize your Microsoft solutions.
Talk to an ExpertStay updated on Microsoft technologies