Microsoft Warns Of ACR Stealer Campaign Using ClickFix Lures To Steal Browser Tokens And Microsoft 365 Files

Microsoft Warns Of ACR Stealer Campaign Using ClickFix Lures To Steal Browser Tokens And Microsoft 365 Files

Microsoft has warned of an increase in ACR Stealer activity targeting enterprise environments through ClickFix social engineering lures that trick users into manually executing malicious commands. According to Microsoft Defender Experts, the managed detection and response team observed a noticeable rise in these attacks across customer environments between late April and mid June 2026. The campaigns focus on stealing saved browser passwords, authentication tokens, PDF documents, Microsoft 365 files, and data stored in synchronized OneDrive and SharePoint folders. Researchers said both attack chains begin with a fake prompt instructing users to paste a command into the Windows Run dialog before pressing Enter. While the delivery techniques differ, both ultimately provide attackers with access to sensitive enterprise information by abusing user interaction rather than exploiting software vulnerabilities. Microsoft also advised affected organizations to revoke authentication tokens in addition to changing passwords because stolen session tokens can continue providing unauthorized access even after credentials have been updated.

One of the attack chains operates almost entirely in memory without leaving significant traces on disk. After a victim pastes the malicious command, mshta.exe retrieves remote HTML Application content containing an embedded VBScript loader. The script uses Windows COM objects to decode and execute PowerShell, which creates a unique victim identifier, disables certificate validation, and downloads the next stage directly into memory. Microsoft explained that the final payload is hidden inside a JPEG image hosted on an image sharing platform, where custom routines extract, decrypt, decompress, and execute the embedded malware through reflective loading techniques. Once active, the malware accesses Chrome and Microsoft Edge browser databases, using Windows Data Protection API to decrypt saved passwords, cookies, and authentication tokens. It also searches for PDF documents located on the Desktop and in Downloads folders before transferring the collected information to the attackers. Microsoft did not identify the exact lure used in this campaign, but security researchers linked indicators such as creativecommunityinfo[.]art and enhanceblabber[.]cc to infrastructure previously documented by SANS Internet Storm Center. Earlier investigations by Brad Duncan connected similar attacks to malicious Google advertisements impersonating Claude AI, while Red Canary also observed fake Claude Code websites hosted on GitLab delivering ACR Stealer during April 2026.

Microsoft also detailed a second attack chain that writes files to disk, creating additional forensic evidence for defenders. In this method, the pasted command downloads a malicious DLL from a remote WebDAV share over HTTPS using disguised filenames and unique directory identifiers. Similar activity had previously been documented by Red Canary, which observed attackers mounting remote WebDAV shares as temporary local drives before executing the payload with rundll32.exe. Some variants further conceal their activity by launching commands through conhost.exe in headless mode and using delayed environment variable expansion to hide references to pushd, rundll32, and remote servers. The attack then executes obfuscated PowerShell that extracts a ZIP archive into a temporary folder under %LocalAppData%\Temp using names resembling legitimate software, such as LogiOptionsPlus. A bundled pythonw.exe silently launches the embedded Python script without displaying visible windows. Microsoft said the malware removes previous installations before updating itself, establishes persistence through a hidden scheduled task disguised as a software update, copies timestamps from notepad.exe to avoid suspicion, clears PowerShell history, and transfers execution through the Windows Fiber API. In some intrusions, an additional Python loader communicates with public blockchain Remote Procedure Call infrastructure to retrieve payloads or command and control information through a technique known as EtherHiding, which stores references inside smart contracts instead of relying on attacker controlled infrastructure.

Microsoft emphasized that neither attack chain exploits a software vulnerability or relies on a Common Vulnerabilities and Exposures identifier. Instead, both campaigns depend entirely on convincing users to execute commands manually through ClickFix prompts. The company noted that the attack inherits all permissions already available to the signed in user, making awareness and application control critical defenses. Microsoft did not disclose the total number of victims or affected organizations but confirmed that activity increased during the reporting period. Previous telemetry from Red Canary showed that the ClearFake web injection cluster, which has delivered ACR Stealer since at least March 2025, became its most prevalent threat during April, while ACR Stealer entered the firm’s top ten threat rankings. Microsoft also avoided attributing the activity to a specific threat actor, explaining that the identification is based on malware behavior and infrastructure rather than confirmed operator identity. Security researchers have previously reported that ACR Stealer was marketed on Russian language forums before later being rebranded as Amatera Stealer. To reduce the risk of compromise, Microsoft recommended restricting access to the Windows Run dialog where possible, implementing application control policies, preventing tools such as PowerShell, mshta.exe, Python, and rundll32.exe from executing internet delivered content, monitoring suspicious scheduled tasks and outbound network connections, isolating compromised systems, revoking authentication tokens, rotating credentials, and reviewing Microsoft Defender XDR hunting queries and campaign indicators published with the report.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment