ACR Stealer, an infostealer active since 2024, infiltrates enterprise networks and exfiltrates saved browser passwords, session tokens, PDF documents, and Microsoft 365 files from OneDrive and SharePoint folders. The malware gains initial access through social engineering tactics involving ClickFix lures, which trick users into executing commands via the Windows Run dialog box.
Microsoft's Defender Experts team disclosed two delivery chains on Thursday. The ClickFix technique exploits user trust by posing as legitimate browser or system warnings, prompting victims to copy and paste commands into the Run box (Windows key + R). Once executed, these commands download and deploy ACR Stealer onto the infected system.
The threat proves particularly damaging in enterprise environments. ACR Stealer targets credentials stored in major browsers including Chrome, Edge, Firefox, and Opera. Beyond password harvesting, it captures active session tokens, which allow attackers to bypass multi-factor authentication and assume authenticated sessions to cloud services. Microsoft 365 document theft compounds the risk, as attackers gain access to email, spreadsheets, presentations, and other sensitive business data without triggering MFA alerts.
Organizations face elevated risk because ACR Stealer operates post-compromise after establishing persistent access. The malware's focus on cloud storage integration means it can harvest files synchronized to local machines through OneDrive and SharePoint, expanding the scope of stolen data beyond traditional local storage.
The delivery mechanism leverages human error rather than patching gaps. No zero-day vulnerability enables ACR Stealer's deployment. Security awareness training remains the primary defense. Users who understand that legitimate vendors never request command-line execution for troubleshooting can recognize and reject ClickFix lures.
Defender and EDR solutions can detect ACR Stealer through behavioral analysis of suspicious command execution and credential access attempts. Organizations should enforce
