ACR Stealer malware uses ClickFix lures to steal Microsoft 365 files and browser tokens

Microsoft recommends revoking authentication tokens, restricting the use of tools like mshta.exe and PowerShell, and educating users to avoid executing unknown commands. The campaign highlights how social engineering remains a major threat to enterprise security.

Fake Claude Code Installer Spreads Fileless .NET Infostealer via SEO PoisoningFake Claude Code Installer Spreads Fileless .NET Infostealer via SEO Poisoning

Once active, ACR Stealer steals browser passwords, authentication tokens, Microsoft 365 documents, PDFs, and files synchronized through OneDrive and SharePoint. The malware also uses advanced techniques such as in-memory execution, PowerShell, and image-based payload delivery to evade detection.

Microsoft recommends revoking authentication tokens, restricting the use of tools like mshta.exe and PowerShell, and educating users to avoid executing unknown commands. The campaign highlights how social engineering remains a major threat to enterprise security.

NPAV Endpoint Security, help detect fileless malware, block malicious scripts, and protect users from credential-stealing attacks delivered through fake software downloads.