Microsoft Defender Experts observed increased activity from the ACR Stealer malware between late April and mid-June 2026, with two distinct campaigns using ClickFix social engineering lures to compromise enterprise environments. The malware steals browser credentials, authentication tokens, and sensitive documents from Microsoft 365.
Both campaigns begin with a fake error page displayed through malvertising or SEO-manipulated search results. The page instructs the user to run a command that launches cmd.exe, which then loads a malicious DLL from a remote WebDAV share. ACR Stealer is offered as a malware-as-a-service product and is associated with the rebranding of the Amatera Stealer family.
The first campaign uses WebDAV-delivered payloads with Python-based loaders and blockchain-backed dead-drop command-and-control resolution. The second campaign takes a more fileless approach, using MSHTA, obfuscated PowerShell, and steganography-assisted in-memory execution. Both ultimately exfiltrate browser credential stores and session tokens for follow-on attacks.
Microsoft recommends security teams prioritize monitoring for ClickFix lures, suspicious WebDAV activity, obfuscated PowerShell execution, and attempts to access browser credential stores. Microsoft Defender for Endpoint provides behavioral coverage for both campaign types.
