By Interestana AI Editorial — AI-drafted, human-overseen. How we report
ACR Stealer Exploits ClickFix for Browser Tokens and M365 Files

ACR Stealer, an infostealer active since 2024, is successfully exfiltrating sensitive data from enterprise networks, including saved browser passwords, active session tokens, PDF documents, Microsoft 365 files, and data from synced OneDrive and SharePoint folders. The malware gains initial access through a user pasting a malicious command into the Windows Run box and executing it.
Microsoft's Defender Experts team detailed two of the primary delivery chains for ACR Stealer on Thursday. One method involves the stealer leveraging a vulnerability within the ClickFix utility, a component designed to help users resolve common Windows issues. By tricking users into running a specially crafted command, attackers can exploit ClickFix to download and execute the ACR Stealer payload. This allows the malware to gain a foothold within the compromised system.
Once inside, ACR Stealer is designed to systematically locate and steal various forms of sensitive information. It targets browser data, which includes stored passwords and active session tokens, enabling attackers to potentially hijack user accounts and bypass multi-factor authentication. Furthermore, the stealer actively searches for and exfiltrates documents stored in Microsoft 365, including files from OneDrive and SharePoint, posing a significant risk to organizational data confidentiality and integrity. The malware's ability to access synced cloud storage folders highlights a critical vulnerability in how data is protected across cloud-integrated environments.
Original source — read the full reporting at the publisher:
Read on The Hacker NewsGet the weekly AI digest
AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.