Microsoft Warns of ACR Stealer Surge Using ClickFix Lures

You have probably seen the lure without knowing its name. A web page shows what looks like a routine hiccup - a failed CAPTCHA, a document that will not load, a video that needs a codec - and helpfully offers the fix: copy this text, press Windows+R, and paste it in. That single, human step is called ClickFix, and Microsoft now warns it is fueling a surge in ACR Stealer infections across its enterprise customers, quietly siphoning browser passwords, session tokens and sensitive documents from organizations that never saw a malicious attachment.
Microsoft Sees a Surge in ACR Stealer
Between late April and mid-June 2026, Microsoft's Defender Experts tracked a sharp rise in attacks delivering ACR Stealer, an information-stealing malware sold as a service and believed to be a rebrand of the earlier Amatera Stealer. As BleepingComputer reports, the operators leaned on a consistent trio of techniques - the ClickFix social-engineering lure, WebDAV file shares and the built-in Windows MSHTA utility - to get their payload running on enterprise machines.
Microsoft was careful to note that the two campaigns it detailed are only the most prevalent it observed, not the full picture: additional execution chains almost certainly exist. For defenders, that is the point. ACR Stealer is a product, and its customers keep changing the wrapper around the same goal.
One Human Step at the Top of the Chain
Everything downstream depends on a single decision by a person. ClickFix works by convincing the victim to open a command interpreter - the Run dialog, PowerShell or a terminal - and paste in a command the attacker supplied, usually framed as a way to fix an error or prove they are human. No exploit, no macro warning, no unsigned-executable prompt. The user is the one who launches the attack, which is exactly why it slips past controls designed to stop code the user never asked for.
Microsoft's guidance reflects this bluntly: users should never copy and paste instructions into a command interpreter, especially when a page claims that doing so will fix an error or verify that they are human. Legitimate websites do not ask you to run commands to prove you are a person.
Two Delivery Chains, One Payload
From that first paste, Microsoft documented two main routes. In the first, the pasted command uses rundll32.exe to run a malicious DLL straight from a remote WebDAV share. The attackers structure the WebDAV paths with GUID-style folders and filenames that mimic legitimate resources, so the traffic blends into expected network activity. A heavily obfuscated PowerShell script then installs a bundled Python loader, creates a scheduled task disguised as a software update, tampers with file timestamps, clears PowerShell history and injects the final payload into a system process to run entirely in memory. Some variants even pull updated payload or command-and-control locations from public blockchain services, a dead-drop technique known as EtherHiding.
The second chain swaps rundll32 for MSHTA, the Microsoft HTML Application host. ClickFix launches MSHTA to fetch content from the attacker's server, which runs an obfuscated PowerShell downloader. That downloader then extracts an encrypted payload concealed inside an ordinary-looking JPEG using steganography and executes it directly in memory. Different tools, same design: legitimate Windows utilities, remotely hosted content and in-memory execution that leaves little on disk to scan.
What ACR Stealer Takes
Once running, the malware goes after the data most useful for follow-on attacks:
- Passwords, cookies, session data and authentication tokens saved in web browsers
- Chromium browser databases from Chrome and Edge, decrypted with the Windows Data Protection API (DPAPI)
- PDFs and Microsoft 365 documents from the Desktop and Downloads folders
- Enterprise-synchronized OneDrive and SharePoint directories
It archives everything and exfiltrates it to the attacker. The prize is not just a password - it is the stolen session tokens that let an attacker skip the login, and any MFA prompt, entirely, plus a haul of internal documents that fuel the next round of fraud and extortion.
The Human Break Point
Strip away the WebDAV shares, the steganography and the blockchain resolvers, and ACR Stealer's whole campaign rests on one person choosing to paste a stranger's command. That is a training problem before it is a tooling problem. Microsoft's technical mitigations matter - filtering web traffic, blocking low-reputation and newly registered domains, and using application-control rules to stop PowerShell, Python, mshta.exe and rundll32.exe from launching remote content out of user-writable paths - but every one of them is a backstop for the moment an employee almost pastes the command.
How empowsec Helps
This is precisely the gap security awareness training is built to close. ClickFix is a social-engineering technique, and employees can be taught to recognize it the same way they learned to distrust urgent invoices and lookalike login pages:
- Teach the one unbreakable rule. Never copy and paste a command into the Run box, PowerShell or a terminal because a website told you to - no legitimate site fixes errors or verifies humans that way.
- Rehearse the exact lure. Phishing simulations that recreate ClickFix pages - the fake CAPTCHA, the 'press Windows+R' instruction - let employees meet the trick in a safe environment before a real one reaches them.
- Target coaching where it breaks down. When a simulation reveals which teams are most likely to follow paste-to-fix instructions, training can go straight to them instead of the whole company.
- Reinforce token-theft awareness. Because stolen sessions bypass passwords and MFA, staff should know to report anything that felt off after running an unexpected command, so IT can revoke sessions fast.
Platforms like empowsec let security teams build and run exactly these scenarios - ClickFix-style simulations paired with short, targeted training - so the human step attackers depend on becomes the step that stops them.
Key Takeaways
- Microsoft reports a surge in ACR Stealer - a likely Amatera Stealer rebrand - against enterprise customers from late April to mid-June 2026.
- The attacks start with ClickFix, a social-engineering lure that tricks users into pasting a malicious command into a command interpreter to fix an error or prove they are human.
- Two chains follow: one using rundll32 with a remote WebDAV DLL, another using MSHTA and a payload hidden in a steganographic JPEG - both running in memory with legitimate Windows tools.
- The goal is theft of browser passwords, cookies and session tokens (decrypted via DPAPI) plus Microsoft 365 documents from OneDrive and SharePoint, and stolen tokens can bypass MFA.
- The whole chain hinges on one human action, so pair Microsoft's technical mitigations with security awareness training and ClickFix-style phishing simulations from platforms like empowsec.


