Thehackernews
ACR Stealer Campaigns Exploit ClickFix and Steganography to Target Enterprises
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
From late April to mid-June 2026, ACR Stealer, a malware-as-a-service operation, has ramped up its activity targeting enterprise users by stealing browser credentials, session tokens, and sensitive documents. The attack leverages ClickFix social engineering techniques to deceive victims into executing malicious commands via the Windows Run dialog or command prompt. The malware exploits vulnerabilities in Chromium-based browsers, using the Windows Data Protection API (DPAPI) to decrypt stored passwords and cookies. Two primary intrusion chains have been identified, employing WebDAV-hosted payloads and obfuscated PowerShell scripts to evade detection. The malware establishes persistence through scheduled tasks disguised as software updates and employs techniques like EtherHiding for command-and-control resolution. Microsoft has confirmed the ongoing threat and the sophistication of the ACR Stealer campaigns, urging enterprises to bolster their defenses against these attacks.
Key Points: • ACR Stealer uses ClickFix lures to compromise enterprise systems. • The malware targets Chromium-based browsers to steal sensitive data. • Two distinct intrusion chains have been identified, utilizing advanced evasion techniques.