Microsoft is warning security teams about a rise in ACR Stealer intrusions that use fake verification prompts to turn ordinary browser activity into enterprise credential theft.
The company’s Defender Experts team observed increased ACR Stealer activity across customer environments from late April 2026 to mid-June 2026, according to a July 16 Microsoft Security Blog report. The campaigns begin with ClickFix-style social engineering, where a page tells the user to paste and run a command, then branch into delivery chains that abuse WebDAV, MSHTA, PowerShell, Python loaders, scheduled tasks, and in-memory payload execution.
The immediate risk is not limited to saved passwords. Microsoft says successful compromises can expose browser credentials, session tokens, authentication artifacts, PDFs, Microsoft 365 documents, and files synchronized through OneDrive or SharePoint. That makes the incident response closer to cloud-account containment and data-exposure triage than a routine malware cleanup.
How the ClickFix lure gets execution
ClickFix attacks work because they borrow the visual language of security checks, app installers, CAPTCHA pages, or troubleshooting instructions. Instead of exploiting a browser vulnerability, the page persuades the user to copy a command, open the Windows Run dialog or a shell, paste the command, and execute it.
That user action gives the attacker a clean initial execution path through built-in Windows tools. Microsoft links the ACR Stealer campaigns to malvertising or SEO-manipulated search results, which means a victim may arrive after searching for a legitimate app, document, update, or support workflow. Red Canary’s May threat intelligence report also placed ACR Stealer in the context of ClearFake campaigns, which use compromised websites and fake paste-and-run instructions to deliver malware.
That matters for defenders because the first useful detection point may not be a suspicious attachment or exploit attempt. It may be a Run-dialog history entry, a browser-to-command-shell handoff, or a user process launching cmd.exe, powershell.exe, rundll32.exe, or mshta.exe after visiting a recently registered or low-reputation site.
Two ACR Stealer chains, same target
Microsoft describes two prevalent ACR Stealer delivery chains. The first uses WebDAV and rundll32.exe. After the ClickFix command runs, the attacker loads a malicious DLL from a remote WebDAV share over HTTPS. In some variants, the command uses pushd to map the remote share to a temporary local drive, which can make remotely hosted content appear more like local execution.
The WebDAV paths Microsoft observed often use GUID-like directory structures and names that resemble ordinary resources, such as google.ct. More evasive variants add minimized or headless execution with conhost.exe --headless and environment-variable obfuscation to hide the core command components from casual review.
Once the initial DLL runs, the chain stages heavily obfuscated PowerShell, downloads a ZIP payload, extracts it under a deceptive directory in %LocalAppData%\Temp, and launches a bundled pythonw.exe loader. Microsoft says the installer can remove older deployments, create a hidden scheduled task disguised as a software update, copy timestamps from trusted Windows files, and clear PowerShell command history before injecting the final payload into a system process.
Some variants add a harder-to-remove command-and-control trick: blockchain-backed dead-drop resolution, often called EtherHiding. Instead of hardcoding a normal server address in every sample, the malware can query public blockchain or Web3 infrastructure for follow-on payload locations or updated C2 information. That gives operators more flexibility and can complicate takedown efforts.
The second chain is more fileless. It starts when the pasted command launches mshta.exe to retrieve remote HTA content. The HTA runs VBScript through COM objects, decodes PowerShell, creates a victim-specific identifier, disables certificate validation, and executes later stages in memory.
The most notable step is steganography. Instead of fetching an obvious script or binary, the malware retrieves a JPEG from an image-hosting service, extracts encrypted data hidden in the image pixels, decrypts and decompresses it, then runs the payload reflectively in memory. The Hacker News separately highlighted the same image-based delivery path and tied Microsoft’s indicators to earlier public reporting on fake Claude-themed lures.
Why browser tokens change the response
ACR Stealer’s value to attackers comes from what modern browsers and cloud workstations hold. The malware targets Chromium-based browser stores, including Chrome and Edge databases such as Login Data and Web Data, then uses Windows DPAPI activity to recover locally stored secrets. The goal includes passwords, cookies, session tokens, authentication artifacts, and files that may already be available on the device through synced enterprise folders.
That breaks the old playbook where a password reset alone was often treated as sufficient. A stolen session token may let an attacker resume access without knowing the new password. A compromised browser profile can also reveal which cloud apps the user touches, which accounts are privileged, and which OneDrive or SharePoint documents were locally cached or synchronized.
For enterprises, the blast radius depends heavily on browser policy and identity controls. A developer, finance employee, executive assistant, or IT admin who stores privileged web credentials in a browser creates a different response problem than a standard user with narrow app access. The same is true for endpoints with broad sync coverage across Microsoft 365 folders.
What security teams should check now
Microsoft’s guidance starts with user awareness, but the practical response has to be technical. Teams should hunt for ClickFix and paste-and-run behavior, especially commands launched through Explorer, browser-adjacent processes, or Run-dialog artifacts that invoke rundll32.exe, mshta.exe, powershell.exe, cmd.exe, or Python from user-writable paths.
- Look for
rundll32.exeloading remote WebDAV paths, especially HTTPS WebDAV shares with GUID-style directories or unusual file names. - Review
pushduse that maps remote shares to temporary local drive letters before execution. - Investigate
mshta.exefetching remote HTA content, especially when launched from PowerShell or after browser-driven activity. - Search for hidden or suspicious scheduled tasks that look like software updates and run at user sign-in.
- Flag PowerShell history clearing, timestomping, excessive obfuscation, and bundled Python runtimes under
%LocalAppData%orTemp. - Monitor abnormal access to Chromium credential databases, Windows DPAPI decryption patterns, and compression or staging of PDFs and Microsoft 365 documents.
Endpoint hardening should focus on the tools the campaign abuses. Application control and attack-surface reduction rules can limit untrusted execution through PowerShell, Python, MSHTA, and Rundll32, particularly from Downloads, Temp, and other user-writable locations. Web filtering and DNS controls can reduce exposure to malvertising, newly observed domains, image-hosting abuse, and low-reputation payload infrastructure.
Identity response should assume token theft until evidence says otherwise. If ACR Stealer execution is confirmed or strongly suspected, isolate the device, revoke active sessions, rotate credentials, invalidate refresh tokens where possible, review conditional-access sign-ins, and check for unusual Microsoft 365, SharePoint, OneDrive, and cloud-console activity from the affected account.
Browser policy is part of the fix. Organizations should reconsider which users are allowed to store corporate passwords in browsers, require managed password managers where appropriate, separate privileged accounts from everyday browsing, and reduce local sync exposure for sensitive document libraries. Multifactor authentication still matters, but it does not erase the risk of stolen cookies or tokens from an already-authenticated device.
The ACR Stealer campaigns show why social engineering, living-off-the-land tools, and token theft now belong in the same defense conversation. The lure may look like a fake verification page, but the result can be a cloud-account incident with stolen browser sessions and enterprise documents already staged for exfiltration.