ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files
Microsoft's Defender Experts team detailed two delivery chains for the ACR Stealer infostealer, which uses paste-a-command ClickFix lures to exfiltrate browser credentials, session tokens, and Microsoft 365 files. Neither chain exploits a vulnerability, relying entirely o…
Intelligence analysis by Llama

ACR Stealer, active since 2024, is stealing browser passwords, session tokens, and Microsoft 365 files from enterprise networks by tricking users into pasting malicious commands. Microsoft documented two delivery chains, one nearly fileless and one using WebDAV, both ending in the same data theft.
Imagine a thief who tricks you into opening your own front door by handing you a note that says 'paste this and press Enter.' ACR Stealer does that on computers, stealing saved passwords and work files. Some versions even hide instructions inside a picture file, like a secret message written between the dots.
Analysis
A Stealer That Lives in the Pixels
ACR Stealer exemplifies how far infostealers have come in operational discipline since their early, clunky forebears. The fileless chain Microsoft documented pulls a JPEG from a public image host, carves the next-stage payload out of the image's pixel data, decrypts and decompresses it in memory, and executes it reflectively. No file touches disk until the stealer itself starts scraping Chrome and Edge credential databases and calling DPAPI to decrypt the cookies and tokens inside. By the time any traditional file-based detection fires, the damage is already done and the resident image is just a picture of something innocuous.
What makes the chain notable is the operational symmetry between the two variants Microsoft observed. One hides in pixels and memory; the other writes to disk but disguises its DLL as google.ct on a WebDAV share, mounts the share as a local drive with pushd, wraps the whole thing in conhost.exe --headless to suppress the console, and then hands execution off through the Windows Fiber API. Both chains end in the same destination: DPAPI-decrypted browser secrets, PDFs from Desktop and Downloads, and a sweep of synced OneDrive and SharePoint content. The tradecraft is mature enough to support multiple delivery options against the same target, which is a sign of a financially motivated actor, not a curious hobbyist.
The ClickFix Tax on Human Trust
The single most uncomfortable fact in Microsoft's writeup is the absence of a CVE. ACR Stealer does not exploit a vulnerability. It exploits the willingness of a person to read a prompt, copy a command, paste it into a Run box, and press Enter. Microsoft's explicit guidance is to revoke authentication tokens rather than just rotate passwords, because the stealer harvests live session cookies that survive a password change. Patching does not close the paste-and-run path. The only durable mitigation is user behavior, which is precisely the kind of control that scales poorly across an enterprise.
This puts defenders in a difficult position. Endpoint telemetry on mshta.exe, WebDAV mounts, and rundll32.exe loading remote DLLs helps, and the on-disk chain leaves more artifacts than the pixel chain, but the fileless variant offers almost nothing to a traditional antivirus engine. Microsoft's own report does not quantify how many customers were hit, how many machines were affected, or what the late-April-to-mid-June increase actually looked like in absolute terms. Red Canary's April telemetry gives the only concrete number: ClearFake, the JavaScript-inject cluster that has been feeding ACR Stealer since at least March 2025, took the No. 1 spot on Red Canary's most-prevalent-threat list that month, with ACR Stealer entering the top ten tied for sixth.
EtherHiding and the Takedown Problem
The most forward-looking detail in the report is the use of EtherHiding in a subset of intrusions. A second Python loader talks to public blockchain RPC endpoints and Web3 node infrastructure, pulling a payload or C2 address from a public ledger. Because the pointer lives in a smart contract, there is no attacker-controlled DNS record or hosting account that a takedown notice can take away. Seizing the domain seizes nothing. The infrastructure persists as long as the underlying chain does.
Microsoft is also notably careful with attribution. It ties the activity to ACR Stealer based on behavior and post-exploitation tradecraft cross-referenced with public reporting, and names no threat actor. The restraint is appropriate. Red Canary and SANS Internet Storm Center handler Brad Duncan had already documented overlapping infrastructure and Claude-branded lures a month or more before Microsoft's writeup, and the creativecommunityinfo[.]art and enhanceblabber[.]cc indicators in Microsoft's Campaign 2 table match subdomains Duncan saw seven weeks earlier. The picture that emerges is a single stealer family fed by multiple lure operators, with delivery infrastructure shared between at least one major inject cluster (ClearFake) and several social-engineering pages impersonating Claude and other AI tools. The threat is real, the seams between operators are not always clear, and defenders should plan accordingly.
Key points
- ACR Stealer uses ClickFix paste-a-command lures, not software vulnerabilities, to gain initial access
- Microsoft documented two delivery chains: a nearly fileless pixel-steganography chain and a WebDAV-mounted DLL chain, both ending in the same data theft
- Stolen data includes browser passwords, session tokens, PDFs, and Microsoft 365 / OneDrive / SharePoint files
- Microsoft advises revoking authentication tokens rather than just rotating passwords, since live session cookies survive password resets
- A subset of intrusions uses EtherHiding, storing C2 pointers in a public blockchain to defeat domain takedowns
- No threat actor has been named; Red Canary and SANS ISC independently documented overlapping infrastructure weeks before Microsoft's report
Microsoft's explicit recommendation to revoke tokens rather than only rotate passwords reflects a maturing enterprise playbook for session-cookie theft, and the on-disk chain leaves enough artifacts for EDR to catch. Continued cross-vendor correlation, as seen between Microsoft, Red Canary, and SANS, gives defenders a more complete picture than any single vendor could provide alone.
The fileless chain gives defenders almost nothing to detect, the EtherHiding C2 technique removes the usual takedown lever, and no patch can close the human-action entry point. If ClickFix-style lures continue to convert at the rates Microsoft implies, enterprises face a steady drip of credential and document theft that is structurally resistant to conventional controls.



