ACR Stealer Campaigns Exploit ClickFix and Steganography to Target Enterprises

ACR Stealer Campaigns Exploit ClickFix and Steganography to Target Enterprises

First seen 17 Jul 2026, 12:17 UTC Blogs.MicrosoftGbhackersThehackernewsFeeds.4Sysops 80% similarity 70.2

Article Content

Browse articles
ThreatCluster

From late April to mid-June 2026, ACR Stealer, a malware-as-a-service operation, has ramped up its activity targeting enterprise users by stealing browser credentials, session tokens, and sensitive documents. The attack leverages ClickFix social engineering techniques to deceive victims into executing malicious commands via the Windows Run dialog or command prompt. The malware exploits vulnerabilities in Chromium-based browsers, using the Windows Data Protection API (DPAPI) to decrypt stored passwords and cookies. Two primary intrusion chains have been identified, employing WebDAV-hosted payloads and obfuscated PowerShell scripts to evade detection. The malware establishes persistence through scheduled tasks disguised as software updates and employs techniques like EtherHiding for command-and-control resolution. Microsoft has confirmed the ongoing threat and the sophistication of the ACR Stealer campaigns, urging enterprises to bolster their defenses against these attacks.

Key Points: • ACR Stealer uses ClickFix lures to compromise enterprise systems. • The malware targets Chromium-based browsers to steal sensitive data. • Two distinct intrusion chains have been identified, utilizing advanced evasion techniques.

ThreatCluster AI

Timeline

2026-04-01
ACR Stealer activity surge begins
Increased reports of ACR Stealer targeting enterprise environments using ClickFix techniques.
Blogs.Microsoft
2026-06-15
ACR Stealer campaigns peak
Microsoft Defender Experts noted a significant rise in ACR Stealer incidents during this period.
Blogs.Microsoft
2026-07-17
ACR Stealer details published
Multiple cybersecurity outlets report on the tactics and techniques used by ACR Stealer, emphasizing the use of ClickFix and steganography.
Gbhackers

Community

Browse all →