Signal

ACR Stealer campaigns use ClickFix lures to steal browser credentials and Microsoft 365 files

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-07-16 12:00 UTCUpdated 2026-07-17 08:56 UTC
rss
cveexploitsmalwareincident_responsesecurity_policy
Trend in the last 24h
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (2 domains)domains are deduped. counts indicate coverage, not truth.
2 top sources shown
ACR Stealer: Two observed intrusion chains amid increased threat activity
Microsoft Security Blog · News · microsoft.com · 2026-07-16 23:12 UTC
limited source diversity in top sources
Overview

Between late April and mid-June 2026, security researchers observed a surge in ACR Stealer malware targeting enterprises.

Score total
1.02
Momentum 24h
2
Posts
2
Origins
2
Source types
1
Duplicate ratio
0%
Why now
  • A surge in ACR Stealer activity was observed from April to June 2026.
  • Two distinct intrusion chains have been actively targeting enterprises during this period.
  • Microsoft and security researchers have issued detailed guidance to aid detection and mitigation.
Why it matters
  • ACR Stealer compromises browser credentials and cloud files, risking enterprise account takeover and data loss.
  • The malware uses advanced delivery chains including steganography and blockchain command-and-control, complicating detection.
  • Proactive monitoring for specific lures and suspicious activity can help prevent successful intrusions.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
  • ACR Stealer campaigns use ClickFix lures to steal browser credentials and Microsoft 365 files.
  • Two distinct intrusion chains have been observed: one with WebDAV-based Python loaders and blockchain C2, another with MSHTA-initiated PowerShell and steganography.
How sources frame it
  • Microsoft Defender Experts: neutral
All evidence
All evidence
ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files
thehackernews · thehackernews.com · 2026-07-17 08:56 UTC
ACR Stealer: Two observed intrusion chains amid increased threat activity
Microsoft Security Blog · microsoft.com · 2026-07-16 23:12 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -
Showing 2 / 0
Top publishers (this list)
  • thehackernews (1)
  • Microsoft Security Blog (1)
Top origin domains (this list)
  • thehackernews.com (1)
  • microsoft.com (1)