Fake fix prompts spread ACR Stealer to raid corporate browser logins

Microsoft says a fast spreading information stealer called ACR Stealer is slipping into corporate networks by tricking employees into running malicious commands themselves, then quietly emptying their browsers of saved passwords, session tokens, and sensitive documents.

From late April to mid June 2026, Microsoft Defender Experts observed ACR Stealer activity climbing across customer environments. ACR is sold under a malware as a service model and is reportedly a rebrand of an earlier stealer tracked as Amatera. Both of the campaigns Microsoft detailed begin the same way, with a ClickFix lure: a fake verification or fix it prompt, usually reached through malvertising or poisoned search results, that instructs the victim to paste and run a command. That single step hands the attacker code execution without exploiting any software flaw.

What gets stolen

Once running, the malware decrypts browser stored passwords, cookies, and authentication tokens using the Windows Data Protection API, then sweeps the machine for PDFs and Microsoft 365 files, including data synced from OneDrive and SharePoint. Stolen session tokens are especially dangerous because they can let an attacker walk past passwords and even multifactor prompts straight into cloud accounts, opening the door to follow on intrusions.

How the attack works

Microsoft observed two prevalent delivery chains. In the first, the pasted command uses rundll32 to load a DLL from a remote WebDAV share, runs heavily obfuscated PowerShell, and drops a Python based loader into a temporary folder disguised as a legitimate app such as LogiOptionsPlus. It persists through a hidden scheduled task dressed up as a software updater, and even copies timestamps from notepad.exe and clears PowerShell history to frustrate forensics. A subset of these intrusions resolves its command and control through public blockchains, a dead drop technique known as EtherHiding that lets operators change infrastructure without redeploying the malware and makes takedowns harder.

The second campaign is more fileless. It launches through mshta.exe and obfuscated PowerShell, then hides its final payload inside a JPEG image using steganography and executes it entirely in memory, leaving few artifacts on disk for scanners to catch.

What you should do

Treat paste and run or prove you are human prompts that invoke cmd, PowerShell, rundll32, or mshta as malicious, and train staff to recognize them. Use application control and attack surface reduction rules to stop those tools from launching internet delivered content out of Downloads, Temp, and AppData. Watch for scheduled tasks posing as updaters, unusual DPAPI decryption, and access to browser credential databases. If you suspect a compromise, isolate the device, rotate exposed passwords, and revoke potentially stolen tokens.

ClickFix has become one of the most common ways criminals get users to infect themselves this year. IntelFusions recently documented a campaign that turned roughly 700 legitimate websites into ClickFix delivery nodes, as well as a Microsoft and Europol operation against the Stealc and Amadey infostealers. The latest research comes from Microsoft Defender Experts; see the original report for full indicators and hunting queries.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions