Key Takeaways

  • Microsoft observed coordinated ACR Stealer campaigns using ClickFix lures, WebDAV, and MSHTA from late April to mid-June 2026.
  • The malware operators expanded delivery methods, blending social engineering with obfuscated PowerShell and steganography.
  • Industry research from Microsoft, Red Canary, and The Hacker News points to rising malware-as-a-service activity targeting enterprise identity systems.

Microsoft observed a surge in ACR Stealer activity, reporting that attackers targeted enterprise customers with layered intrusion chains between late April and mid-June 2026. The campaigns relied on ClickFix prompts to trick users into executing commands that launched the malware. This tactic leverages social engineering by masquerading as a legitimate troubleshooting step.

The recent reporting details two prevalent ACR Stealer delivery methods. The first intrusion chain uses a ClickFix lure to execute a malicious DLL pulled from a remote WebDAV share using rundll32.exe. Microsoft found that the adversary often hides the payload behind GUID-based directory structures and filenames that mimic legitimate cloud resources. Similar WebDAV abuse has appeared in previous attacks, a trend also noted in coverage from The Hacker News.

Following initial execution, the malware communicates with command-and-control infrastructure and launches a heavily obfuscated PowerShell script. This script installs a bundled Python loader, creates a scheduled task masked as a software update, manipulates timestamps, clears PowerShell history, and injects the final ACR Stealer payload into a system process for in-memory execution. Specific variants utilize public blockchain services as dead-drop resolvers to obtain updated payload locations—a technique known as EtherHiding.

A second observed delivery chain relies on the Microsoft HTML Application Host (MSHTA) utility rather than WebDAV. In this scenario, the ClickFix lure launches MSHTA, which retrieves malicious content from an attacker-controlled server and executes an obfuscated PowerShell downloader. The downloader extracts an encrypted payload concealed within a publicly hosted steganographic JPEG image, allowing the malicious code to blend with standard web traffic and execute directly in memory.

Both intrusion chains share the primary objective of stealing sensitive enterprise data. The malware extracts passwords, cookies, session data, and authentication tokens stored in web browsers, utilizing the Windows Data Protection API to decrypt local data. It specifically targets Chromium-based browser databases, Microsoft 365 documents, PDFs, and enterprise-synchronized directories in OneDrive and SharePoint. All collected data is archived for exfiltration.

Broader industry intelligence supports these findings. Reporting from Red Canary in May 2026 highlighted an increase in malware-as-a-service operations. ACR Stealer, which researchers identify as a rebranding of the Amatera malware, operates within this ecosystem. These subscription-based services lower the technical barrier for threat actors to launch credential-focused campaigns.

Detecting these early-stage behaviors requires granular telemetry. WebDAV usage, obfuscated PowerShell execution, and sudden access to browser credential stores can mimic routine administrative workflows in enterprise environments. To identify these threats, security vendors including Microsoft, CrowdStrike, and SentinelOne advise implementing anomaly-based detections focused on unauthorized browser data extraction and suspicious remote content execution.

Credential theft and token hijacking have become primary initial access vectors across recent threat intelligence reports. The widespread documentation of ClickFix-based social engineering indicates that the methodology is now utilized by multiple distinct operators rather than a single group.

The reliance on browser-stored session tokens allows attackers to easily escalate from a compromised local endpoint into broader enterprise identity systems. Defending against these intrusions requires strict policy controls surrounding browser storage limits, PowerShell execution restrictions, and external remote share access.

To mitigate the ACR Stealer threat, Microsoft advises organizations to reduce exposure to web-based delivery methods by filtering low-reputation domains and restricting access to unnecessary external resources. Security teams can deploy application control policies to block executable code from launching via remote locations, specifically targeting utilities such as Python, PowerShell, MSHTA, and rundll32.exe. End-user security training must also emphasize the risks of copying and pasting administrative commands from unsolicited troubleshooting prompts.

Infostealer operations evolve continuously, and ACR Stealer is already utilizing multiple distinct execution chains to bypass defenses. As the malware-as-a-service ecosystem expands, threat actors are increasingly motivated to automate credential theft at scale, signaling that further variations of these delivery methods will emerge.

The ACR Stealer campaigns between late April and mid-June 2026 demonstrate the effectiveness of combining social engineering with lightweight, native execution chains. Because targeting identity material enables adversaries to bypass traditional perimeter defenses, enterprise security teams must adapt their detection controls to identify these stealthy credential-harvesting behaviors during the initial intrusion phase.