Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
ACR Stealer Exploits ClickFix to Access Sensitive Data

ACR Stealer Exploits ClickFix to Access Sensitive Data

Posted on July 17, 2026 By CWS

The ACR Stealer, an infamous information-stealing malware active since 2024, has been identified as extracting browser passwords, session tokens, and Microsoft 365 documents from corporate networks. This malware capitalizes on ClickFix lures to gain unauthorized access to sensitive materials stored in OneDrive and SharePoint folders.

Entry Points and Attack Vectors

Initial access for ACR Stealer is typically achieved through a deceptively simple method: users unknowingly execute a command in the Run dialog box. According to Microsoft’s Defender Experts, the malware’s activity has surged from late April to mid-June, effectively leveraging ClickFix lures to extract critical information.

Two primary delivery chains are involved: one that leaves traces on the disk and another that operates filelessly. Microsoft advises affected users to revoke compromised tokens and not merely change passwords as a remedial measure.

Technical Intricacies of the Attack

The malware often infiltrates systems through malvertising or manipulated search results. The fileless attack chain initiates with the execution of mshta.exe, which accesses remote HTA content. A VBScript loader then employs COM objects to execute PowerShell commands, creating a unique victim ID and bypassing certificate checks.

The payload, hidden within a JPEG image, is extracted, decrypted, and executed in memory. Subsequently, the malware targets Chrome and Edge browsers, retrieving and decrypting stored passwords and session tokens using DPAPI. It also exfiltrates PDFs from common directories like Desktop and Downloads.

Detection and Mitigation Strategies

While one attack chain writes to disk, allowing defenders to detect its presence, both chains rely on user interaction to initiate. Red Canary, in its investigation, identified similar tactics and payloads being distributed through malicious ads and compromised sites. The attack utilizes obfuscated PowerShell scripts and a disguised scheduled task to maintain persistence.

Microsoft recommends several protective measures, including disabling the Run prompt, restricting the execution of mshta.exe, and employing application controls to prevent the execution of internet-delivered content.

Understanding the Threat Landscape

Although Microsoft has not disclosed specific victim counts, Red Canary’s telemetry indicates a significant prevalence of ACR Stealer in recent months. The malware, originally marketed under the name AcridRain and later rebranded as Amatera Stealer, has undergone significant updates.

Despite its evolution, the core tactic remains a social engineering vector, relying on user interaction to execute. The report underscores the importance of endpoint security practices and vigilance against prompt-based attacks.

Microsoft, in its report, provides hunting queries and domain indicators to aid organizations in detecting and mitigating these threats. As the threat landscape continues to evolve, staying informed and implementing robust security protocols is crucial for safeguarding sensitive data.

The Hacker News Tags:ACR Stealer, browser tokens, ClickFix, Cybersecurity, InfoStealer, Malvertising, Malware, Microsoft 365, Microsoft Defender, PowerShell, Red Canary, security breach, WebDAV

Post navigation

Previous Post: Cyberattack Hits Nichirei, Disrupts Operations
Next Post: New ClickLock Malware Threatens macOS Security

Related Posts

6,500 Axis Servers Expose Remoting Protocol, 4,000 in U.S. Vulnerable to Exploits 6,500 Axis Servers Expose Remoting Protocol, 4,000 in U.S. Vulnerable to Exploits The Hacker News
n8n Webhooks Exploited for Malware Delivery via Phishing n8n Webhooks Exploited for Malware Delivery via Phishing The Hacker News
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection The Hacker News
Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection The Hacker News
AI Coding Tool Flaw Exposes Developers to Code Exploits AI Coding Tool Flaw Exposes Developers to Code Exploits The Hacker News
Breaches Hidden, Attack Surfaces Growing, and AI Misperceptions Rising Breaches Hidden, Attack Surfaces Growing, and AI Misperceptions Rising The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • CISA Alerts on Critical SharePoint Vulnerability Exploitation
  • Beacon Security Secures $13M Funding for Data Platform
  • GoSerpent Malware Targets Southeast Asian Governments
  • New ClickLock Malware Threatens macOS Security
  • ACR Stealer Exploits ClickFix to Access Sensitive Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • CISA Alerts on Critical SharePoint Vulnerability Exploitation
  • Beacon Security Secures $13M Funding for Data Platform
  • GoSerpent Malware Targets Southeast Asian Governments
  • New ClickLock Malware Threatens macOS Security
  • ACR Stealer Exploits ClickFix to Access Sensitive Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark