ACR Stealer Tricks Staff Into Typing the Attack Themselves

Microsoft says a fake-fix trick is pushing a data thief onto business PCs, walking off with passwords, session cookies and cloud files.

ThreatVectr Newsdesk· 4 min read
Full-frame photoreal shot of a laptop screen showing a generic fake browser error dialog, warm office lighting, blurred keyboard in foreground, moody editorial
Share

Key points

  • Microsoft's Defender Experts team on Thursday detailed two delivery chains pushing ACR Stealer, an information-stealing program active since 2024.
  • The malware grabs saved browser passwords, live login cookies, PDFs, Microsoft 365 documents and files synced from OneDrive and SharePoint.
  • Infections start with ClickFix lures, fake error pages that tell the visitor to paste a command into the Windows Run box.
  • Stolen session tokens let the attackers log into cloud accounts without needing the password or the multi-factor code.
  • Security vendors track ACR Stealer as a commodity tool sold to multiple criminal crews, so attribution to any single group is low confidence.

A data-stealing program called ACR Stealer is quietly walking out of company networks with the crown jewels: saved browser passwords, active login sessions, PDFs, Word and Excel files, and anything the victim has synced from OneDrive or SharePoint.

And it gets in because someone pastes a command into a Windows box and hits Enter.

Microsoft's Defender Experts team, an in-house group that hunts intrusions for paying customers, published two delivery chains on Thursday. Both start the same way. The trick is called ClickFix.

What is ClickFix, in plain English?

ClickFix is a fake error page. The victim lands on a website, or opens an attachment, and sees a message that looks like a normal browser hiccup: "Something went wrong, run this to fix it." The page then gives step-by-step instructions to open the Windows Run dialog and paste in a line of text.

That line of text is the attack. Pasting it downloads and runs ACR Stealer.

The reason it works is that the victim does the risky part themselves. No attachment to scan. No macro warning to click through. The malicious command lives on the clipboard for a second, then executes.

What does ACR Stealer actually take?

An infostealer is a program built for one job: scrape everything valuable off a machine and send it back to the criminals. ACR Stealer, in circulation since 2024, is a capable example.

Microsoft says it lifts:

  • Saved passwords from Chrome, Edge and other browsers.
  • Session cookies, the small files that keep you logged in to sites like Microsoft 365 or a bank. Steal the cookie and you can often walk straight into the account, skipping the password and the multi-factor prompt.
  • Local documents, including PDFs and Office files.
  • Anything sitting in a OneDrive or SharePoint folder that the machine has synced to disk.

That last point matters. Many staff treat OneDrive as a safe cloud vault. If it is syncing to the laptop, ACR sees it as a normal folder and copies what it wants.

Who is behind it?

Honest answer: nobody is naming a single group with confidence. ACR Stealer is a commodity tool, sold or rented on criminal forums, and multiple crews use it. The Hacker News, which first flagged the Microsoft write-up, notes the same lure family has been seen pushing several different payloads over the past year.

That makes attribution tricky. ClickFix as a technique has overlapping usage across financially motivated crews and at least one cluster with suspected state-linked interests. Same TTP, different hands. Treat any single-source naming with caution.

What should ordinary staff watch for?

One rule covers most of it. No legitimate website, help desk or IT team will ever ask you to open the Run box and paste in a command to fix a page. If a site tells you to do that, close the tab.

If you think you already did it, tell your IT team the same day. Changing your password is not enough on its own, because the stolen session cookie may still be valid. The account needs to be signed out everywhere and the tokens revoked.

For home users, the same logic applies to fake CAPTCHA pages and "verify you are human" prompts that ask you to press Windows-R. That is not a human check. That is the attack.

© 2026 Threat Vectr