Microsoft sees spike in ACR Stealer attacks lifting passwords and session tokens from browsers

The info-stealer is arriving through fake 'fix this error' prompts and hidden inside JPEG images, and it walks off with the browser cookies that keep users signed in.

ThreatVectr Newsdesk· 4 min read
Full-frame close-up of a laptop screen showing a fake browser error dialog with a copy-paste instruction box, warm desk lamp light, blurred office background, m
Share

Key points

  • Microsoft reported a surge in ACR Stealer infections against enterprise customers between late April and mid-June 2025.
  • The malware steals browser passwords, cookies and authentication tokens, the small files that keep you signed in to sites like Microsoft 365.
  • Attackers are using a social-engineering trick called ClickFix, which asks victims to paste a command into Windows to 'fix' a fake error.
  • One variant hides its payload inside an ordinary-looking JPEG image using steganography, the practice of concealing data inside pictures.
  • Microsoft says ACR Stealer is sold as a service and appears to be a rebrand of the earlier Amatera Stealer.

Microsoft is warning its business customers about a sharp rise in attacks using a piece of malicious software called ACR Stealer. The tool is built for one job: quietly lifting the passwords, session cookies and login tokens that browsers keep on file.

Those tokens matter more than most people realise. They are the reason you do not have to type your password every morning. Steal the token, and you often skip the login screen entirely, and the multi-factor prompt with it.

The campaigns ran from late April through mid-June 2025, according to Microsoft, and were first covered in detail by BleepingComputer.

How are people getting infected?

Most victims are being tricked by a scam known as ClickFix. A web page pops up claiming there is an error, or asks the visitor to prove they are human, and instructs them to open Windows and paste in a short command. The command is the attack.

In the first version Microsoft is seeing, that pasted command reaches out to a remote file share and runs a malicious library file using a normal Windows tool called rundll32.exe. Because rundll32 is a legitimate part of Windows, security software is less likely to flag it.

The attackers dress up their file share to look innocent. They use folder names and file paths that mimic real services, for example something resembling a Google address, so the traffic blends in.

Once that first file runs, it calls home to a server the attackers control and pulls down a heavily scrambled PowerShell script. PowerShell is a scripting tool built into Windows. The script installs a Python-based loader, sets up a scheduled task disguised as a software update, wipes its own history, and injects the final payload straight into memory so nothing suspicious is left on disk.

Some versions go a step further and use public blockchains as a hiding place for their next set of instructions, a technique researchers call EtherHiding.

The second version swaps rundll32 for another built-in Windows tool, mshta.exe, which is meant to run HTML-based applications. It fetches a PowerShell downloader, which then pulls a JPEG image from a public host. That image has the real malware stitched into its pixels. The code is extracted and run entirely in memory.

What does the malware actually take?

Once inside, ACR Stealer goes straight for the browser. It targets Chrome and Edge, using the Windows Data Protection API (DPAPI, the built-in system that decrypts saved passwords) to unlock the goods.

It grabs saved passwords, cookies, session data and authentication tokens. It hunts for PDFs and Microsoft 365 documents on the Desktop and in Downloads. It also looks at OneDrive and SharePoint folders that companies sync to employee laptops. Everything is bundled up and shipped out to the attacker.

Stolen session tokens are the painful part here. Multi-factor authentication, the second step where you approve a login on your phone, does not help once the token has already been minted and stolen. The attacker replays it and is treated as you.

What should ordinary users and IT teams do?

The single most useful habit: never paste a command into Windows because a website told you to. No real error fix, no real 'prove you're human' check, ever asks for that.

Microsoft is telling IT teams to block newly registered or low-reputation domains, and to use application control rules that stop tools like PowerShell, mshta.exe and rundll32.exe from running content pulled off the internet, especially from folders a normal user can write to. The company has published indicators of compromise for defenders to feed into their monitoring.

If you think you clicked, changing passwords is not enough on its own. Sign out of every active session on the affected accounts so the stolen tokens stop working.

© 2026 Threat Vectr