Microsoft Defender Experts says two ACR Stealer campaigns observed from late April through mid-June 2026 are using ClickFix prompts to turn ordinary browser activity into enterprise credential theft. The immediate risk is not merely a malware alert: successful infections can expose Chromium browser passwords, session cookies, authentication tokens, Microsoft 365 documents, PDFs, and data synchronized through OneDrive or SharePoint.
Microsoft Security Research detailed the activity on July 16, identifying a shared initial-access tactic and two sharply different payload chains. In both cases, victims are reportedly pushed through malvertising or SEO-poisoned search results to a fake verification prompt that tells them to paste and run a command. That user action hands attackers a trusted Windows execution path before traditional phishing controls have much opportunity to intervene.
ACR Stealer, reportedly a rebrand of Amatera Stealer and offered as malware-as-a-service, is the end payload. Microsoft’s attribution rests on the observed post-compromise behavior and infrastructure intelligence, and the company stresses that the two chains are representative rather than an exhaustive map of active ACR Stealer activity.
ClickFix is a social-engineering technique built around a disarmingly simple premise: a website claims the user must complete a CAPTCHA, repair a browser issue, or verify they are human, then provides a command to copy into Windows Run, Command Prompt, or PowerShell. The execution is performed by the victim, using legitimate Windows components, which is precisely why the model remains effective.
For Windows administrators, the defining signal is a browser-driven command chain involving tools that have legitimate uses but are rarely needed in normal end-user workflows. Microsoft specifically calls out
The campaigns make the initial instruction look mundane while hiding a multi-stage attack behind it. Training should therefore move beyond generic “do not click suspicious links” guidance. Users should be told explicitly that legitimate sites do not require them to paste commands into Windows to pass a verification check.
Microsoft observed more concealed versions that launch through
After the DLL loads, the chain launches heavily obfuscated PowerShell. The next stage downloads a ZIP archive into a deceptive
Persistence arrives through a hidden scheduled task masquerading as a software update and configured to run at user sign-in. The installer also copies timestamps from
The Python stage is more than a launcher. Microsoft says it dynamically reconstructs and decodes its payload using several layers of string manipulation, Base64 decoding, and zlib decompression. The final loader allocates executable memory with
That combination creates a useful hunting narrative: a suspicious WebDAV path, followed by
This does not mean every blockchain connection is suspect. It does mean that organizations with no business need for Web3 or blockchain RPC traffic should treat it as an investigation priority when it appears alongside Python, PowerShell, browser-data access, or unfamiliar scheduled tasks.
The operational benefit for attackers is clear: infrastructure can be changed without redeploying the original malware. That makes domain blocking alone less durable and reinforces the need for behavior-based endpoint detections.
The PowerShell stage uses randomized variables, dead loops, no-op arithmetic, misleading control flow, and custom encryption. Microsoft says it generates a victim-specific identifier, disables certificate validation, and executes downloaded content directly in memory.
Instead of pulling down an obvious second-stage script, this chain retrieves a JPEG from an image-hosting service. The malicious PowerShell extracts payload data hidden in the image pixels, decrypts and decompresses it, then uses dynamically resolved Windows APIs such as
The technique matters because image retrieval can blend into expected web traffic, while steganography makes a file inspection less revealing. The absence of a conventional executable on disk also limits the value of detection strategies centered solely on file hashes and static signatures.
For enterprises, stolen session cookies and tokens can be as consequential as passwords. They can enable attackers to impersonate an authenticated session, access cloud resources, or establish a foothold for follow-on activity before a password reset alone closes the gap.
The malware also searches for high-value files, including PDFs, Office documents, Desktop and Downloads content, and synchronized OneDrive and SharePoint data. Collection is followed by archiving, a strong indication that attackers are preparing data for exfiltration rather than merely conducting local reconnaissance.
Organizations using Microsoft Defender XDR should hunt for process and network sequences rather than depending solely on the supplied indicators of compromise. The most useful areas to prioritize are:
If an endpoint is suspected of compromise, isolate it quickly, remove persistence, rotate affected credentials, and revoke potentially exposed session tokens. With ACR Stealer, the decisive question is not whether a malicious file was deleted; it is whether the browser-held identity material and enterprise documents accessed after the ClickFix prompt have already been used elsewhere.
Microsoft Security Research detailed the activity on July 16, identifying a shared initial-access tactic and two sharply different payload chains. In both cases, victims are reportedly pushed through malvertising or SEO-poisoned search results to a fake verification prompt that tells them to paste and run a command. That user action hands attackers a trusted Windows execution path before traditional phishing controls have much opportunity to intervene.
ACR Stealer, reportedly a rebrand of Amatera Stealer and offered as malware-as-a-service, is the end payload. Microsoft’s attribution rests on the observed post-compromise behavior and infrastructure intelligence, and the company stresses that the two chains are representative rather than an exhaustive map of active ACR Stealer activity.
The ClickFix Prompt Is the Entry Point Administrators Must Stop
ClickFix is a social-engineering technique built around a disarmingly simple premise: a website claims the user must complete a CAPTCHA, repair a browser issue, or verify they are human, then provides a command to copy into Windows Run, Command Prompt, or PowerShell. The execution is performed by the victim, using legitimate Windows components, which is precisely why the model remains effective.For Windows administrators, the defining signal is a browser-driven command chain involving tools that have legitimate uses but are rarely needed in normal end-user workflows. Microsoft specifically calls out
cmd.exe, rundll32.exe, PowerShell, mshta.exe, and Python as components used across these intrusions.The campaigns make the initial instruction look mundane while hiding a multi-stage attack behind it. Training should therefore move beyond generic “do not click suspicious links” guidance. Users should be told explicitly that legitimate sites do not require them to paste commands into Windows to pass a verification check.
WebDAV Turns a Remote DLL Into a Local-Looking Execution Chain
The first campaign usesrundll32.exe to load a DLL hosted on a remote WebDAV share over HTTPS. In some variants, the attacker uses pushd to map that WebDAV location to a temporary drive letter, making remotely hosted code appear to execute from a local path.Microsoft observed more concealed versions that launch through
conhost.exe --headless, suppressing the visible console window. Environment-variable obfuscation and delayed expansion then mask strings such as the remote host name, pushd, and rundll32, reducing the value of simple command-line searches.After the DLL loads, the chain launches heavily obfuscated PowerShell. The next stage downloads a ZIP archive into a deceptive
%LocalAppData%\Temp directory such as LogiOptionsPlus, starts a bundled pythonw.exe process without a console window, and removes earlier deployments like a software updater would.Persistence arrives through a hidden scheduled task masquerading as a software update and configured to run at user sign-in. The installer also copies timestamps from
notepad.exe to its deployed files and clears PowerShell history, two moves intended to make post-incident review less straightforward.The Python stage is more than a launcher. Microsoft says it dynamically reconstructs and decodes its payload using several layers of string manipulation, Base64 decoding, and zlib decompression. The final loader allocates executable memory with
VirtualAlloc and uses the Windows Fiber API — including ConvertThreadToFiber, CreateFiber, and SwitchToFiber — to execute shellcode in memory.That combination creates a useful hunting narrative: a suspicious WebDAV path, followed by
rundll32.exe, then obfuscated PowerShell, a Python runtime in a temporary directory, and a newly created “update” task is far more meaningful than any one element alone.Blockchain Resolution Complicates the First Chain
A subset of the WebDAV-based intrusions added an EtherHiding-style dead-drop resolver. Rather than hard-coding a command-and-control destination, an additional Python component contacted public blockchain RPC endpoints and third-party Web3 infrastructure, apparently retrieving follow-on payload data or command-and-control information stored on a public ledger.This does not mean every blockchain connection is suspect. It does mean that organizations with no business need for Web3 or blockchain RPC traffic should treat it as an investigation priority when it appears alongside Python, PowerShell, browser-data access, or unfamiliar scheduled tasks.
The operational benefit for attackers is clear: infrastructure can be changed without redeploying the original malware. That makes domain blocking alone less durable and reinforces the need for behavior-based endpoint detections.
The Second Chain Avoids Disk Artifacts With MSHTA and a JPEG Payload
The second campaign reaches the same credential-theft objective with less conventional tooling. A ClickFix instruction launchesmshta.exe, which retrieves remote HTA content. Embedded VBScript then abuses COM objects to decode and start an obfuscated PowerShell payload.The PowerShell stage uses randomized variables, dead loops, no-op arithmetic, misleading control flow, and custom encryption. Microsoft says it generates a victim-specific identifier, disables certificate validation, and executes downloaded content directly in memory.
Instead of pulling down an obvious second-stage script, this chain retrieves a JPEG from an image-hosting service. The malicious PowerShell extracts payload data hidden in the image pixels, decrypts and decompresses it, then uses dynamically resolved Windows APIs such as
LoadLibrary, GetProcAddress, VirtualAlloc, CreateThread, and WaitForSingleObject for in-memory shellcode execution.The technique matters because image retrieval can blend into expected web traffic, while steganography makes a file inspection less revealing. The absence of a conventional executable on disk also limits the value of detection strategies centered solely on file hashes and static signatures.
Browser Tokens Turn a Local Infection Into an Identity Incident
Both chains target browser credential stores. Microsoft observed access to Chrome and Microsoft EdgeLogin Data and Web Data databases, coupled with Windows Data Protection API activity used to decrypt saved passwords, cookies, and authentication artifacts.For enterprises, stolen session cookies and tokens can be as consequential as passwords. They can enable attackers to impersonate an authenticated session, access cloud resources, or establish a foothold for follow-on activity before a password reset alone closes the gap.
The malware also searches for high-value files, including PDFs, Office documents, Desktop and Downloads content, and synchronized OneDrive and SharePoint data. Collection is followed by archiving, a strong indication that attackers are preparing data for exfiltration rather than merely conducting local reconnaissance.
Detection Needs to Follow the Behavior, Not Just the Domains
Microsoft Defender for Endpoint includes behavioral coverage for suspicious MSHTA launches, remote WebDAV DLL loading throughrundll32.exe, obfuscated PowerShell, scheduled-task persistence, in-memory execution, suspicious DPAPI usage, and browser credential theft. Defender Antivirus also detects a related MSHTA behavior as Behavior:Win32/Interhta.Int.Organizations using Microsoft Defender XDR should hunt for process and network sequences rather than depending solely on the supplied indicators of compromise. The most useful areas to prioritize are:
- Investigate Run dialog history and process telemetry containing
rundll32,@ssl, WebDAV-style paths,pushd, andconhost --headless. - Review PowerShell-created scheduled tasks, especially names resembling automatic software updates and tasks configured around user sign-in.
- Alert on
mshta.exefetching remote HTTPS content after browser or Explorer-originated activity. - Correlate browser database access and DPAPI activity with document enumeration, archive creation, and unusual outbound connections.
- Examine Python runtimes launched from
%LocalAppData%, Temp directories, or directories impersonating legitimate software.
If an endpoint is suspected of compromise, isolate it quickly, remove persistence, rotate affected credentials, and revoke potentially exposed session tokens. With ACR Stealer, the decisive question is not whether a malicious file was deleted; it is whether the browser-held identity material and enterprise documents accessed after the ClickFix prompt have already been used elsewhere.
References
- Primary source: Microsoft
Published: 2026-07-16T23:12:02+00:00
ACR Stealer: Two observed intrusion chains amid increased threat activity | Microsoft Security Blog
From late April 2026 to mid-June 2026, Microsoft Defender Experts observed increased ACR Stealer activity across customer environments. These campaigns are successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents from enterprise environments.www.microsoft.com