Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

ACR Stealer: The Malicious Force Behind ClickFix Lures and Microsoft 365 File Theft


ACR Stealer, a sophisticated infostealer malware, uses ClickFix lures to steal browser tokens and Microsoft 365 files from enterprise networks. Experts recommend several controls to mitigate the risk posed by this threat, highlighting the importance of continuous monitoring and proactive cybersecurity measures.

  • A CR Stealer malware is stealing browser tokens and Microsoft 365 files from enterprise networks using ClickFix lures.
  • The source code was sold on Russian-speaking forums by an actor known as SheldIO.
  • The malware bypasses security measures through complex steps, including mshta.exe and PowerShell.
  • A CR Stealer targets Chrome and Edge browsers, accessing browser credentials and authentication tokens.
  • The malware infects PDF files to steal sensitive documents.
  • Controls include removing the Run prompt, blocking mshta.exe, and using application control rules.



  • ACR Stealer, a type of infostealer malware, has been making headlines recently due to its sophisticated tactics for stealing browser tokens and Microsoft 365 files from enterprise networks. According to a report released by Microsoft's Defender Experts team, ACR Stealer uses ClickFix lures to gain access to these sensitive files, highlighting the importance of cybersecurity awareness and vigilance in preventing such attacks.

    The malware has been linked to an actor known as SheldIO, who reportedly sold off the source code of ACR Stealer on Russian-speaking forums. However, there is still much uncertainty surrounding the exact nature of the threat actor behind this malicious software.

    Once pasted into the Run dialog box and executed, ACR Stealer's payload enters a series of complex steps that allow it to bypass traditional security measures. The malware first uses mshta.exe to pull remote HTA content, which is then decoded and fired using PowerShell. This stage of the payload mints a victim ID and disables certificate validation, allowing for more covert operations.

    The malware then retrieves a JPEG file from an image host, where it sits in plain sight within the pixel data. Custom routines carves out this payload, decrypts it, decompresses it, and executes it reflectively. ACR Stealer then targets Chrome and Edge browsers, accessing their Login Data and Web Data databases to retrieve browser credentials and authentication tokens.

    Furthermore, the malware also infects PDF files located on the Desktop and in Downloads, allowing for the theft of sensitive documents. This level of sophistication highlights the need for robust cybersecurity measures that can detect such malicious activities.

    The payload's persistence is ensured through a scheduled task masquerading as a software update, which copies timestamps off notepad.exe onto its own files and clears PowerShell history behind it. The last stage of the malware stays in memory, handing execution over to the Windows Fiber API.

    Red Canary has documented several instances where ACR Stealer was used to deliver this payload, including a July 2026 detection that labeled ACR Stealer as a behavioral call on a codebase that had been renamed at least once and may have changed ownership. This highlights the dynamic nature of the threat landscape and the need for continuous monitoring.

    To mitigate the risk posed by ACR Stealer, experts recommend several controls, including removing the Run prompt via GPO and blocking mshta.exe through AppLocker or WDAC. They also suggest using application control and attack surface reduction rules to prevent PowerShell, Python, mshta.exe, and rundll32.exe from launching internet-delivered content.

    Microsoft has shipped three Defender XDR hunting queries and 16 campaign domains with the report, which are a slice of the family's full range of campaigns and infrastructure. The lures overlap rather than replace one another, according to Red Canary, as they were also seen in April telemetry.

    The ACR Stealer attack serves as a reminder that cybersecurity threats can come from unexpected directions and require proactive measures to prevent and mitigate. By understanding how these types of attacks work and taking steps to enhance security awareness and vigilance, individuals and organizations can reduce their risk exposure.

    ACR Stealer, a sophisticated infostealer malware, uses ClickFix lures to steal browser tokens and Microsoft 365 files from enterprise networks. Experts recommend several controls to mitigate the risk posed by this threat, highlighting the importance of continuous monitoring and proactive cybersecurity measures.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/ACR-Stealer-The-Malicious-Force-Behind-ClickFix-Lures-and-Microsoft-365-File-Theft-ehn.shtml

  • https://thehackernews.com/2026/07/acr-stealer-uses-clickfix-lures-to.html


  • Published: Fri Jul 17 06:30:18 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us