Signal
ACR Stealer campaigns use ClickFix lures to steal browser credentials and Microsoft 365 files
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-07-16 12:00 UTCUpdated 2026-07-17 08:56 UTC
rss
cveexploitsmalwareincident_responsesecurity_policy
Trend in the last 24h
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (2 domains)domains are deduped. counts indicate coverage, not truth.2 top sources shown
limited source diversity in top sources
Overview
Between late April and mid-June 2026, security researchers observed a surge in ACR Stealer malware targeting enterprises.
Score total
1.02
Momentum 24h
2
Posts
2
Origins
2
Source types
1
Duplicate ratio
0%
Why now
- A surge in ACR Stealer activity was observed from April to June 2026.
- Two distinct intrusion chains have been actively targeting enterprises during this period.
- Microsoft and security researchers have issued detailed guidance to aid detection and mitigation.
Why it matters
- ACR Stealer compromises browser credentials and cloud files, risking enterprise account takeover and data loss.
- The malware uses advanced delivery chains including steganography and blockchain command-and-control, complicating detection.
- Proactive monitoring for specific lures and suspicious activity can help prevent successful intrusions.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- ACR Stealer campaigns use ClickFix lures to steal browser credentials and Microsoft 365 files.
- Two distinct intrusion chains have been observed: one with WebDAV-based Python loaders and blockchain C2, another with MSHTA-initiated PowerShell and steganography.
How sources frame it
- Microsoft Defender Experts: neutral
All evidence
All evidence
ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files
thehackernews · thehackernews.com · 2026-07-17 08:56 UTC
ACR Stealer: Two observed intrusion chains amid increased threat activity
Microsoft Security Blog · microsoft.com · 2026-07-16 23:12 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -
Showing 2 / 0
Top publishers (this list)
- thehackernews (1)
- Microsoft Security Blog (1)
Top origin domains (this list)
- thehackernews.com (1)
- microsoft.com (1)