Microsoft’s security team on July 16 revealed two ongoing ACR Stealer campaigns that have been tricking users into pasting malicious commands as part of fake CAPTCHA or browser-repair prompts. The attacks, active from late April through mid-June 2026, use a social-engineering technique called ClickFix to bypass traditional phishing defenses and harvest browser-stored credentials, authentication tokens, and sensitive enterprise documents.

How the Attack Unfolds: From ClickFix to Token Theft

ClickFix is deceptively simple. Victims are led to a website that insists they must verify they’re human, fix a playback error, or complete a CAPTCHA. Instead of a standard checkbox, the page instructs them to press Windows+R, paste a command, and hit enter. That user action – not malware – executes a chain of legitimate Windows tools to download and run the stealer.

The two campaigns diverge after that initial prompt. In the first, the command invokes rundll32.exe to load a DLL from a remote WebDAV share, often disguised with GUID-based folder names. Some variants first use pushd to map the share to a temporary drive letter, making the remote payload appear local. Advanced versions add conhost.exe --headless and environment-variable obfuscation to hide the command window.

Once the DLL loads, a heavily obfuscated PowerShell script deploys a Python loader into a folder mimicking legitimate software (e.g., LogiOptionsPlus). The Python code uses multiple layers of Base64, zlib, and string manipulation to reconstruct shellcode, which then runs in memory via VirtualAlloc and Windows Fiber APIs. Persistence arrives as a hidden scheduled task named to look like a software update, with file timestamps copied from notepad.exe and PowerShell history cleared.

A subset of these intrusions added an EtherHiding-style C2 resolver, querying public blockchain RPC endpoints to fetch follow-up commands. That means blocking domains alone won’t stop the attack.

The second campaign takes a more fileless approach. The ClickFix command launches mshta.exe to fetch remote HTA content. Embedded VBScript abuses COM objects to decode and run obfuscated PowerShell. That script then downloads what appears to be a harmless JPEG from an image-hosting service, extracts payload data hidden in the pixels, and executes it entirely in memory. The combination of steganography and reflective shellcode leaves almost no disk artifacts for traditional antivirus scans.

Both chains ultimately target browser credential stores – Chrome’s and Edge’s Login Data and Web Data databases – and use the Windows Data Protection API to decrypt saved passwords, cookies, and session tokens. The malware also searches for PDFs, Office documents, and anything synced through OneDrive or SharePoint, then archives it for exfiltration.

Why This Threat Is More Than a Password Stealer

For home users, a successful ClickFix infection can mean stolen passwords and financial accounts. But for businesses, the danger is far greater: session cookies and authentication tokens can let attackers impersonate authenticated users without needing a password. That means they can bypass multi-factor authentication, access cloud resources, and move laterally across a network even after you reset a compromised password.

The data-collection behavior is equally alarming. By targeting OneDrive and SharePoint files, the malware turns a single endpoint compromise into a potential data breach affecting entire teams. The archive-and-exfiltrate pattern shows attackers aren’t just snooping – they’re packaging your files for theft.

How We Got Here: The Rise of ClickFix and MaaS

ACR Stealer is reportedly a rebrand of Amatera Stealer, sold under a malware-as-a-service model. That means less-skilled attackers can rent the kit, lowering the barrier to entry. ClickFix lures have surged because they exploit a gap in user training: most people know not to click suspicious links, but few recognize that pasting a command into Windows is just as dangerous. The technique weaponizes trust in legitimate system utilities like rundll32.exe, mshta.exe, and PowerShell, which are not blocked by default.

Both campaigns rely on malvertising and SEO-poisoned search results to drive traffic to the fake verification pages. Once a user arrives, the prompt feels urgent and benign – a clever bit of social engineering that sidesteps URL filters and email security gates.

What to Do Now: Practical Steps for Users and Admins

For Everyone

  • Never paste commands from a website into Windows, regardless of how official the prompt looks. No legitimate service asks you to do this.
  • If you accidentally ran such a command, immediately isolate the device from the network and contact your IT department. For personal devices, disconnect, change passwords from a clean machine, and revoke active sessions on all cloud services.
  • Keep browser and OS updates current. Enable built-in protections like Windows Defender’s cloud-delivered protection and reputation-based blocking.

For System Administrators

  • Detect ClickFix behavior, not just domains. Hunt for rundll32 calls containing WebDAV paths (@ssl, DavWWWRoot), pushd to remote shares, and conhost.exe --headless in execution chains. These are strong signals of compromise even without an antivirus hit.
  • Restrict unnecessary tools. Use AppLocker or attack surface reduction rules to prevent mshta.exe, rundll32.exe, and PowerShell from launching untrusted content – especially from Downloads, Temp, and %LocalAppData%.
  • Monitor for suspicious scheduled tasks created by PowerShell. Look for task names mimicking software updates and those configured to run at user logon.
  • Correlate browser credential access with DPAPI activity. A spike in Login Data reads alongside DPAPI decryption and file enumeration is a telltale sign of a stealer.
  • Investigate Python runtimes in odd locations. Python spawned from %LocalAppData%\Temp or folders impersonating legitimate apps should raise an immediate flag.
  • Block blockchain RPC traffic if your organization has no business need for Web3 services. The EtherHiding C2 technique can be spotted when Python or PowerShell contacts *.eth.* RPC endpoints.
  • Harden PowerShell. Enable script block logging, module logging, and transcription. Review the telemetry for telltale obfuscation patterns.
  • Enable EDR block mode and automated investigation in Microsoft Defender for Endpoint. This allows post-breach detections to be contained automatically – crucial when minutes matter.
  • If compromise is confirmed: isolate the device, rotate all credentials stored in the affected browser, and explicitly revoke session tokens for cloud apps like Microsoft 365. Simply deleting a file won’t close the door; the tokens already exfiltrated remain valid.

Outlook: A Shift Toward Behavior-Based Defense

ACR Stealer’s operators have shown they can pivot rapidly: from disk-based Python loaders to fileless steganography, from hard-coded C2 to blockchain dead drops. As long as ClickFix lures keep working, more commodity stealers will adopt similar tactics. The defense playbook must evolve beyond signature scans and blocklists. Real-time behavioral analysis, token-based access controls, and user education that specifically addresses paste-and-run commands will be critical in the months ahead. Microsoft’s transparent disclosure of these two chains should serve as a blueprint for defenders – not just for this stealer, but for the next one that inevitably follows.