Select a theme from the list.
Insights

From our experts

Latest
Nichirei Cyberattack Sends Digital Disruption Into the Cold ChainNadMesh Botnet Raids Exposed AI Servers for Cloud CredentialsACR Stealer Turns Fake Fixes Into Enterprise Data TheftMicrosoft Warns That Overprivileged AI Agents Are Becoming a New Identity RiskDigiCert Intrusion Reveals How Stolen Code-Signing Trust Can Shield MalwareAbbott Investigates Two Cyber Incidents as Extortion Claims Target Diagnostics OperationsSophos Fusion Recasts the Security Platform as an AI-Driven Defense SystemShark Vacuum Cloud Weakness Turns One Device Certificate Into a Regional Master KeyTrusted Meeting Apps Become the Bait in a Multi-Layer Windows Malware CampaignMicrosoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationSonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingCritical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaNichirei Cyberattack Sends Digital Disruption Into the Cold ChainNadMesh Botnet Raids Exposed AI Servers for Cloud CredentialsACR Stealer Turns Fake Fixes Into Enterprise Data TheftMicrosoft Warns That Overprivileged AI Agents Are Becoming a New Identity RiskDigiCert Intrusion Reveals How Stolen Code-Signing Trust Can Shield MalwareAbbott Investigates Two Cyber Incidents as Extortion Claims Target Diagnostics OperationsSophos Fusion Recasts the Security Platform as an AI-Driven Defense SystemShark Vacuum Cloud Weakness Turns One Device Certificate Into a Regional Master KeyTrusted Meeting Apps Become the Bait in a Multi-Layer Windows Malware CampaignMicrosoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationSonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingCritical Chrome and Firefox Updates Put Browser Restarts Back on the Security Agenda
Security Insight

ACR Stealer Turns Fake Fixes Into Enterprise Data Theft

ACR Stealer Turns Fake Fixes Into Enterprise Data Theft
Photo by Ann H on Pexels

Microsoft has reported increased ACR Stealer activity involving ClickFix social engineering, remote WebDAV resources, PowerShell, and trusted Windows utilities. The malware targets browser passwords, live authentication tokens, Microsoft 365 documents, and files synchronized through OneDrive and SharePoint, making password changes alone an insufficient response. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/microsoft-warns-of-surge-in-acr-stealer-attacks-on-customers/))

A familiar-looking troubleshooting instruction can now be the opening move in a serious enterprise intrusion. Microsoft has observed increased activity involving ACR Stealer, an information-stealing malware operation that persuades victims to copy and execute commands under the pretense of resolving an error or completing a verification step.

Trusted Windows tools become delivery mechanisms

The campaigns use the ClickFix technique, which shifts part of the attack to the victim. Instead of exploiting a conventional software vulnerability, attackers convince users to open a command interface and run malicious instructions themselves.

One observed chain retrieves a malicious DLL from a remote WebDAV share and launches it with rundll32.exe. The infection then uses an obfuscated PowerShell script, establishes persistence through a scheduled task, and injects the final payload into another process. A second chain abuses mshta.exe and extracts an encrypted payload concealed inside an image before executing the malware in memory.

Once active, ACR Stealer searches for browser passwords, cookies, session information, authentication tokens, PDFs, Microsoft 365 documents, and files stored in synchronized OneDrive and SharePoint directories. This creates a business risk extending far beyond the compromised endpoint. A stolen session token may let an attacker enter a cloud account without repeatedly presenting a password.

Defenders need to respond beyond password resets

  • Revoke active sessions and authentication tokens after a suspected infection.
  • Restrict PowerShell, Python, mshta.exe, and rundll32.exe where business use does not require them.
  • Block newly registered or low-reputation domains and unnecessary WebDAV traffic.
  • Monitor scheduled task creation, suspicious child processes, and execution from user-writable locations.
  • Teach employees that websites should not require commands to prove they are human.

Expert view

In my view, ClickFix succeeds because it makes the user an unwitting execution engine. Security awareness must therefore move beyond identifying suspicious links and attachments. Employees should understand that copying a command into Run, PowerShell, Terminal, or a scripting window is equivalent to launching an unknown program.

I also believe incident response teams should treat an ACR Stealer detection as a potential cloud identity compromise, not simply a malware cleanup task. The affected machine should be isolated, persistence removed, credentials rotated, tokens revoked, and cloud audit logs reviewed for suspicious access. Microsoft says the documented chains may not represent every delivery method used by the malware, making behavior-based monitoring particularly important. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/microsoft-warns-of-surge-in-acr-stealer-attacks-on-customers/))

Talk to our team →

Latest

Nichirei Cyberattack Sends Digital Disruption Into the Cold ChainJul 19, 2026NadMesh Botnet Raids Exposed AI Servers for Cloud CredentialsJul 19, 2026ACR Stealer Turns Fake Fixes Into Enterprise Data TheftJul 19, 2026Microsoft Warns That Overprivileged AI Agents Are Becoming a New Identity RiskJul 18, 2026DigiCert Intrusion Reveals How Stolen Code-Signing Trust Can Shield MalwareJul 18, 2026Abbott Investigates Two Cyber Incidents as Extortion Claims Target Diagnostics OperationsJul 18, 2026

Most read

1Global CMS Exploitation Wave Plants Webshells on Business Websites2Microsoft Prepares Windows Customers for a Faster Era of AI-Driven Patching3Exposed Attack Server Unmasks Three Microsoft 365 Phishing Operations4Laser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet Cards5Sophos Fusion Recasts the Security Platform as an AI-Driven Defense System6Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe Goal