Skip to main content
Emerging ThreatsMalware & Ransomware

ACR Stealer Exploits ClickFix Lures to Target Microsoft 365 Files

Office setting with laptop showing Microsoft 365 interface and scattered papers.

"[Campaigns are] successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents," Microsoft’s Defender Experts team wrote, summing up activity it tracked from late April through mid‑June. The practical effect: ACR Stealer is walking out of enterprise environments with saved browser passwords, session tokens, PDFs and Microsoft 365 content from synced OneDrive and SharePoint folders.

What Microsoft observed and when

Microsoft’s managed detection arm reported an upward trend in ACR Stealer activity between late April and mid‑June. The company laid out two distinct delivery chains that share a single, simple starting point: a user pastes a command into the Run box and presses Enter. From that moment, the campaigns diverge — one runs almost entirely in memory and leaves few disk traces; the other writes components to disk and creates artifacts defenders can inspect. Microsoft shipped three Defender XDR hunting queries and a list of 16 campaign domains as part of the writeup.

The fileless chain: pixels, mshta.exe, and in‑memory PowerShell

In the fileless variant the pasted command spawns mshta.exe to fetch remote HTA content. An embedded VBScript loader — using COM objects — decodes and invokes PowerShell, mints a victim ID, disables certificate validation, and executes retrieved content in memory. That runtime pulls a JPEG from an image host whose pixels hide the payload; custom routines carve the payload out of the image, decrypt, decompress, and execute it reflectively.

Once running in memory, the stealer targets Chrome and Edge, reading the Login Data and Web Data databases and calling DPAPI to decrypt stored passwords, cookies, and live authentication tokens. The chain also exfiltrates PDFs found on the Desktop and in Downloads. Microsoft’s guidance stresses that this path depends on a human action — the paste‑and‑run — not on a software vulnerability.

The disk‑writing chain: WebDAV DLLs, pythonw.exe, and persistence

The alternative chain downloads a DLL from a WebDAV share over HTTPS and invokes it via rundll32.exe. Some variants first mount the remote share with pushd so the payload appears to execute from a local path; others wrap execution in conhost.exe --headless and use delayed environment‑variable expansion to hide suspicious strings.

Obfuscated PowerShell drops a ZIP in %LocalAppData%\\Temp with innocuous names such as LogiOptionsPlus. A bundled pythonw.exe launches the Python payload with no UI. The installer removes older copies, sets a hidden scheduled task masquerading as a software update, copies timestamps from notepad.exe to hide its files, clears PowerShell history, and hands the final stage to user‑mode execution via the Windows Fiber API. In some intrusions a secondary Python loader queries public blockchain RPC endpoints and other Web3 node infrastructure to pull a payload or C2 pointer — a technique Microsoft calls EtherHiding.

Lures, infrastructure, and earlier observations

Microsoft and other responders trace the campaigns to an overlapping set of lures and infrastructure. The company attributes many campaigns to ClickFix‑style lures; SANS Internet Storm Center handler Brad Duncan documented a Windows infection on May 26 that traced to a page impersonating Anthropic’s Claude, reached through malicious Google ads and sites.google.com hosts. That chain fetched a 628 KB JPEG from ImgBB that contained the payload in its pixels. Red Canary logged Claude‑branded lures delivered via fake Claude Code pages on GitLab a month earlier.

Microsoft lists domains such as creativecommunityinfo[.]art and enhanceblabber[.]cc among Campaign 2 indicators, noting they served as a payload host and C2; The Hacker News matched those domains to Duncan’s chain. Separately, Red Canary reported ClearFake, a web‑inject cluster that has fed ACR Stealer since at least March 2025 and placed ACR in Red Canary’s top ten threats in April telemetry.

How to disrupt the paste‑and‑run vector and respond to incidents

Because both delivery chains begin with a user running a pasted command, upstream controls matter most. Recommended measures Microsoft and responders highlight include removing the Run dialog via Group Policy, blocking mshta.exe with AppLocker or WDAC, and enforcing application control and attack‑surface reduction rules so PowerShell, Python, mshta.exe and rundll32.exe cannot execute internet‑delivered content from Downloads, Temp or %LocalAppData%.

Detection advice includes hunting for rundll32.exe with no command‑line parameters that is making network connections, and for scheduled tasks masquerading as software updates, timestomping, and PowerShell history clearing. On suspected hosts, responders should isolate the machine, rotate credentials, revoke tokens (Microsoft’s remediation guidance explicitly advises revoking tokens rather than only rotating passwords), and check outbound connections to remote shares and image‑hosting services.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: prioritize application control rules and hunting for anomalous rundll32.exe, conhost.exe --headless, and mounts created by pushd; use Defender XDR queries Microsoft provided as starting points.
  • Affected enterprises and procurement leaders: review endpoint hardening and update incident response playbooks to include token revocation — passwords alone are not sufficient — and monitor for evidence of WebDAV or image‑host exfiltration paths.
  • End users and help‑desk staff: treat unexpected prompts to paste commands into Run as high‑risk; avoid following instructions from search results or ads that ask for copy‑pasted commands, and escalate such requests to security teams.

Microsoft’s description makes one point clear: there is no exploited CVE here, and the chain works because a person executes a pasted command. The label “ACR Stealer” in detections reflects observed behavior on a codebase that has been renamed and rebranded in reporting — including a June 2025 rebrand to Amatera Stealer and prior forum activity tied to an actor called SheldIO in July 2024 — but the behavioral name does not identify who is running the campaigns. Microsoft also did not quantify victim counts; Red Canary’s April telemetry provides some numerical context, but the scale and full range of active infrastructure remain represented only by the sample indicators Microsoft released.

Original story