A familiar-looking troubleshooting instruction can now be the opening move in a serious enterprise intrusion. Microsoft has observed increased activity involving ACR Stealer, an information-stealing malware operation that persuades victims to copy and execute commands under the pretense of resolving an error or completing a verification step.
Trusted Windows tools become delivery mechanisms
The campaigns use the ClickFix technique, which shifts part of the attack to the victim. Instead of exploiting a conventional software vulnerability, attackers convince users to open a command interface and run malicious instructions themselves.
One observed chain retrieves a malicious DLL from a remote WebDAV share and launches it with rundll32.exe. The infection then uses an obfuscated PowerShell script, establishes persistence through a scheduled task, and injects the final payload into another process. A second chain abuses mshta.exe and extracts an encrypted payload concealed inside an image before executing the malware in memory.
Once active, ACR Stealer searches for browser passwords, cookies, session information, authentication tokens, PDFs, Microsoft 365 documents, and files stored in synchronized OneDrive and SharePoint directories. This creates a business risk extending far beyond the compromised endpoint. A stolen session token may let an attacker enter a cloud account without repeatedly presenting a password.
Defenders need to respond beyond password resets
- Revoke active sessions and authentication tokens after a suspected infection.
- Restrict PowerShell, Python, mshta.exe, and rundll32.exe where business use does not require them.
- Block newly registered or low-reputation domains and unnecessary WebDAV traffic.
- Monitor scheduled task creation, suspicious child processes, and execution from user-writable locations.
- Teach employees that websites should not require commands to prove they are human.
Expert view
In my view, ClickFix succeeds because it makes the user an unwitting execution engine. Security awareness must therefore move beyond identifying suspicious links and attachments. Employees should understand that copying a command into Run, PowerShell, Terminal, or a scripting window is equivalent to launching an unknown program.
I also believe incident response teams should treat an ACR Stealer detection as a potential cloud identity compromise, not simply a malware cleanup task. The affected machine should be isolated, persistence removed, credentials rotated, tokens revoked, and cloud audit logs reviewed for suspicious access. Microsoft says the documented chains may not represent every delivery method used by the malware, making behavior-based monitoring particularly important. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/microsoft-warns-of-surge-in-acr-stealer-attacks-on-customers/))
