www.microsoft.com 7/16/2026, 11:47:39 PM · external

ACR Stealer Uses ClickFix Lures to Steal Enterprise Credentials

ACR Stealer Uses ClickFix Lures to Steal Enterprise Credentials
CyberSIXT Evidence Panel Source marked as original reporting

BETWEEN late April and mid-June 2026, Microsoft Defender Experts identified an increase in ACR Stealer malware activity, utilizing ClickFix lures to compromise enterprise systems and steal sensitive information such as browser credentials and session tokens. The observed campaigns differ in execution and evade detection using various methods. Campaign 1 employs WebDAV and PowerShell, while Campaign 2 operates primarily in-memory using MSHTA and steganography.

Key mitigation strategies include user education on recognizing malicious prompts, deploying application controls to restrict execution of untrusted scripts, and monitoring for unusual activity related to browser data access. Microsoft Defender tools provide coverage for detecting and responding to these threats, and the ongoing development of threat intelligence and advanced hunting capabilities is crucial to combating such evolving malware.

View full article

Article by CyberSIXT