Defenders are currently facing a renewed and highly effective infection chain using "ClickFix" social engineering to deploy the ACR Stealer. Active since 2024, this infostealer has evolved into a significant threat to enterprise environments. It bypasses traditional email filtering by leveraging the victim's manual interaction—specifically, enticing users to copy and paste malicious commands directly into the Windows Run dialog (Win+R).
The impact is immediate and severe: ACR Stealer targets the "keys to the kingdom." It exfiltrates saved browser passwords, live session tokens (which bypass MFA), and critical business documents from synced Microsoft 365, OneDrive, and SharePoint folders. Unlike commodity malware, this campaign targets authenticated sessions, allowing attackers to maintain persistence even after passwords are reset.
Technical Analysis
Delivery Chain: ClickFix Lures Microsoft Defender Experts have outlined two active delivery chains revolving around the ClickFix technique. The attack typically begins when a user lands on a compromised or malicious website (often disguised as a CAPTCHA verification or a browser error page).
- The Hook: The user sees a prompt claiming they need to verify their identity or fix a connection issue. A text box provides a "fix" command.
- User Action: The user copies the provided command and pastes it into the Windows Run box (
Win+R). This bypasses many path-restriction policies and directly invokes the Windows Shell. - Execution: The command typically launches PowerShell or CMD with obfuscated arguments designed to download and execute the ACR Stealer payload. Because the user initiates the action from a trusted shell context, it often inherits medium-integrity privileges without triggering standard "suspicious child process" alerts associated with browser exploitation.
Payload Functionality: ACR Stealer Once executed, the malware performs aggressive reconnaissance and data staging:
- Browser Token Theft: It scrapes SQLite databases (
Login Data,Cookies,Local Storage) from Chromium-based browsers (Chrome, Edge) and Gecko-based browsers (Firefox). The focus on "live session tokens" is critical; these tokens allow attackers to access cloud resources without needing the user's password or 2FA. - Cloud Siphoning: The malware specifically targets file paths associated with OneDrive and SharePoint sync folders, identifying and exfiltrating PDFs and Microsoft 365 documents.
- Persistence: While primarily an infostealer, variants often establish persistence via Registry Run keys or Scheduled Tasks to ensure continued data harvesting until detected.
Detection & Response
Sigma Rules
The following Sigma rules target the unique "ClickFix" behavior (user manually invoking a download script from the Run dialog) and the subsequent file access patterns of the stealer.
---
title: Potential ClickFix Activity via PowerShell Run Box
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects suspicious PowerShell execution spawned by explorer.exe (Run box parent) containing download indicators common in ClickFix campaigns.
references:
- https://thehackernews.com/2026/07/acr-stealer-uses-clickfix-lures-to.html
author: Security Arsenal
date: 2026/07/17
tags:
- attack.execution
- attack.t1059.001
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
CommandLine|contains:
- 'DownloadString'
- 'IEX '
- 'Invoke-Expression'
CommandLine|contains:
- 'http://'
- 'https://'
condition: selection
falsepositives:
- Legitimate administrative troubleshooting (rare)
level: high
---
title: ACR Stealer Browser Credential Access
id: 9b3c2d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects non-browser processes accessing browser credential databases (Login Data), a common behavior of ACR Stealer and similar infostealers.
references:
- https://thehackernews.com/2026/07/acr-stealer-uses-clickfix-lures-to.html
author: Security Arsenal
date: 2026/07/17
tags:
- attack.credential_access
- attack.t1555.003
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\Google\Chrome\User Data\Default\Login Data'
- '\Google\Chrome\User Data\Default\Cookies'
- '\Microsoft\Edge\User Data\Default\Login Data'
filter_legit_browsers:
Image|contains:
- '\chrome.exe'
- '\msedge.exe'
- '\brave.exe'
condition: selection and not filter_legit_browsers
falsepositives:
- Backup software or security scanners accessing browser data
level: high
KQL (Microsoft Sentinel)
Use this query to hunt for ClickFix execution chains within your environment. It correlates the process creation with immediate network connections, characteristic of malware beaconing home after manual execution.
let SuspiciousCommands = dynamic(['DownloadString', 'IEX', 'Invoke-Expression', 'FromBase64String']);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "explorer.exe"
| where ProcessFileName in~ ("powershell.exe", "cmd.exe", "pwsh.exe")
| where ProcessCommandLine has_any (SuspiciousCommands) and (ProcessCommandLine has "http" or ProcessCommandLine has "https")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, ProcessFileName
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort
) on DeviceName, Timestamp
| where TimeGenerated between (ago(1m) .. now()) // Approximate correlation window
| summarize arg_max(Timestamp, *) by DeviceName, ProcessCommandLine
Velociraptor VQL
This artifact hunts for the specific file access patterns associated with ACR Stealer targeting OneDrive and SharePoint sync folders, as well as browser databases.
-- Hunt for ACR Stealer Indicators
SELECT
format(format="%H:%M:%S", timestamp=Sys.EventTime) as EventTime,
Sys.Username as User,
Process.Name as ProcessName,
Process.Cmdline as CommandLine,
File.FullPath as TargetFile,
File.Size as FileSize
FROM watch_process_file_operations(throttle=1000)
WHERE
-- Targeting Browser Secrets
TargetFile =~ "Login Data" OR TargetFile =~ "Cookies"
-- Excluding legitimate browser processes
AND Name NOT =~ "chrome.exe" AND Name NOT =~ "msedge.exe" AND Name NOT =~ "firefox.exe"
-- OR Targeting M365 Sync Folders
OR (TargetFile =~ "OneDrive" AND (TargetFile =~ ".docx" OR TargetFile =~ ".pdf"))
OR (TargetFile =~ "SharePoint" AND (TargetFile =~ ".docx" OR TargetFile =~ ".pdf"))
LIMIT 100
Remediation Script (PowerShell)
This script assists in identifying potential persistence mechanisms left by ACR Stealer and terminates active PowerShell processes initiated from the Run box path that match the ClickFix profile.
# ACR Stealer Remediation & Hunting Script
# Requires Admin Privileges
Write-Host "[*] Starting hunt for ACR Stealer indicators..." -ForegroundColor Cyan
# 1. Identify Suspicious Run Keys (Common persistence for stealers)
$suspiciousPaths = @("$env:TEMP", "$env:APPDATA")
$runKeys = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($key in $runKeys) {
if (Test-Path $key) {
Get-Item $key | ForEach-Object {
$_.Property | ForEach-Object {
$value = (Get-ItemProperty -Path "$key\$_")."$_"
foreach ($path in $suspiciousPaths) {
if ($value -like "*$path*") {
Write-Host "[!] Suspicious Run Key found: $key\$_ -> $value" -ForegroundColor Red
# Uncomment to remove automatically:
# Remove-ItemProperty -Path $key -Name $_ -Force
}
}
}
}
}
}
# 2. Kill Suspicious Processes (ClickFix Pattern)
# Note: Verify these processes before killing in production
Write-Host "[*] Checking for suspicious PowerShell processes..." -ForegroundColor Cyan
$processes = Get-WmiObject Win32_Process | Where-Object {
$_.Name -eq "powershell.exe" -and
$_.CommandLine -match "(DownloadString|IEX|Invoke-Expression)" -and
$_.CommandLine -match "(http|https)"
}
if ($processes) {
foreach ($proc in $processes) {
Write-Host "[!] Terminating suspicious PID: $($proc.Handle) - $($proc.Name)" -ForegroundColor Red
Stop-Process -Id $proc.Handle -Force -ErrorAction SilentlyContinue
}
} else {
Write-Host "[-] No suspicious PowerShell processes found." -ForegroundColor Green
}
Write-Host "[*] Remediation check complete." -ForegroundColor Cyan
Write-Host "[*] CRITICAL STEP: Force revoke all M365 sessions for affected users via Entra ID Admin Center." -ForegroundColor Yellow
Remediation
-
Isolate and Reimage: If a host is confirmed infected, isolation is mandatory. Browser secrets and tokens are stored in memory and on disk; full reimaging is the only guaranteed method to ensure all malware artifacts and residual backdoors are removed.
-
Revocation of Sessions: Simply resetting passwords is insufficient against ACR Stealer. You must revoke active session tokens:
- Navigate to the Microsoft Entra admin center.
- Go to Users > Sign-ins.
- Identify the compromised user and select "Revoke sessions".
- Review "Sign-in risk" and "MFA settings" to ensure attackers have not added malicious methods.
-
User Education (Anti-Social Engineering): Update your security awareness training immediately. Employees must be instructed to never paste commands from websites into the Run dialog or Command Prompt. Emphasize that legitimate technical support will never ask a user to execute code via a pop-up box.
-
Attack Surface Reduction: Enable Attack Surface Reduction (ASR) rules in Microsoft Defender, specifically:
- "Block Office applications from creating child processes"
- "Block Win32 API calls from Office macro code" (relevant if similar macros are used)
- "Block Adobe Reader from creating child processes"
- Consider strict PowerShell Constrained Language Mode (CLM) for non-admin users via Group Policy to obfuscate the execution of the ClickFix payload.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.