ACR Stealer campaigns use ClickFix lures and fileless tradecraft
🔍 Microsoft Defender Experts observed heightened ACR Stealer activity from late April to mid-June 2026, using ClickFix social engineering to lure users into running commands that ultimately harvest browser credentials, tokens, and sensitive documents. Two prevalent campaigns were detailed: one using WebDAV-delivered DLLs, staged PowerShell, Python loaders, and optional blockchain-backed dead-drop C2 resolution; the other using fileless MSHTA, obfuscated PowerShell, and steganography-assisted in-memory execution. Both aim to exfiltrate credentials and enterprise data, and Microsoft recommends monitoring for ClickFix lures, suspicious WebDAV/MSHTA activity, obfuscated PowerShell, and attempts to access browser credential stores while leveraging Defender capabilities to detect and respond.
