ACR Stealer ClickFix Attacks: What to Check After Running the Command

Stephanie Adlam
6 Min Read
ACR Stealer ClickFix attack pulling browser passwords and session tokens from a compromised Windows PC.
A fake ClickFix verification command can lead to browser credential, session-token, and document theft.

Microsoft says ACR Stealer activity increased from late April through mid-June 2026, with two ClickFix campaigns repeatedly appearing in investigated intrusions. Both begin by convincing a Windows user to run a command from a fake verification page. One chain uses WebDAV, rundll32.exe, PowerShell, and a Python loader; the other uses mshta.exe, obfuscated PowerShell, and a payload hidden inside an image. Both end by stealing browser passwords, cookies, authentication tokens, and sensitive documents.

The important distinction is execution. Merely seeing and closing a fake verification page does not prove infection. If you pasted or ran its command, however, treat the device and browser sessions as potentially compromised even if no installer window appeared.

Who should check for ACR Stealer activity

Act now if a page claiming to verify that you are human, fix a browser error, or unlock content told you to press Win+R, paste a command, open Terminal, or run PowerShell. The same applies if a command briefly opened a console, launched rundll32.exe or mshta.exe, or appeared to do nothing after you followed the instructions.

If you need a broader explanation of this social-engineering trick, see our Fake CAPTCHA ClickFix response guide. The ACR Stealer campaigns described here add specific WebDAV, scheduled-task, and browser-session evidence to check.

How the two ACR Stealer chains differ

Observed chain Evidence and practical meaning
WebDAV and Python loader The ClickFix command can call rundll32.exe against a remote WebDAV share, sometimes after pushd maps it as a temporary drive. Later stages use PowerShell, a bundled pythonw.exe, and a hidden scheduled task.
MSHTA and steganography mshta.exe retrieves remote HTA content, which starts obfuscated PowerShell. A later script extracts encrypted code from image pixels and runs it in memory, leaving fewer normal files to find.
Shared objective Both chains access Chromium browser credential stores and Windows DPAPI data, then collect passwords, cookies, tokens, PDFs, Microsoft 365 documents, and files in synced locations.

The WebDAV chain can deploy files under a deceptive path such as %LocalAppData%\Temp\LogiOptionsPlus. Microsoft also observed scheduled tasks disguised as software updates, copied timestamps from trusted Windows files, and cleared PowerShell history. The second chain is more memory-focused, so the absence of an obvious downloaded executable is not a clean bill of health.

What to check after running the ClickFix command

  1. Disconnect the affected PC from networks. Do not sign in to more accounts from it. If it is a managed work device, contact the security team before deleting evidence.
  2. Preserve the command you ran. Take a photo or screenshot of the page if it is still open, but do not repeat the command. Windows Run history under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU may help responders identify rundll32, pushd, WebDAV @ssl, conhost --headless, or mshta activity.
  3. Review recently created scheduled tasks and user-writable folders. Investigate update-like tasks whose action starts PowerShell or pythonw.exe, especially names resembling Autoupdate followed by digits. Do not delete a task only because its name looks unfamiliar; verify its action, file path, timestamp, and signer first.
  4. Run a full malware scan. ACR Stealer may combine a visible loader with scheduled-task persistence or in-memory stages. Use Gridinsoft Anti-Malware to check for loaders, hidden files, startup entries, scheduled tasks, and related remnants, then reboot and scan again if alerts or unusual processes return.
  5. From a clean device, change passwords and revoke sessions. Start with your primary email, password manager, work identity, banking, crypto, and social accounts. Changing a password alone may not invalidate every stolen cookie or token, so use each service’s sign-out-all-sessions or device-removal control.
  6. Review cloud and browser activity. Check forwarding rules, recovery details, connected apps, recent sign-ins, downloads, and security alerts. Browser sync can carry sensitive data across devices; rotate credentials before signing the cleaned PC back in.

A security tool can remove detected malware and persistence, but it cannot make a stolen password or session token secret again. If account theft continues, the device handled highly sensitive data, or evidence points to fileless execution that cannot be scoped, preserve what your responder needs and consider a clean Windows reinstall.

What not to assume

  • No visible download does not mean nothing ran. WebDAV and in-memory PowerShell can retrieve and execute later stages without a familiar installer.
  • MFA does not automatically cancel stolen sessions. A valid cookie or token can sometimes remain useful until it is explicitly revoked or expires.
  • One clean scan does not prove no data was stolen. Treat credential and session response as a separate task from malware removal.

For a broader account-recovery sequence after an information stealer, use our infostealer cleanup and session-response checklist.

References

  1. Microsoft Security Research and Balaji Venkatesh S. “ACR Stealer: Two observed intrusion chains amid increased threat activity.” Microsoft Security Blog, July 16, 2026, accessed July 17, 2026. Microsoft Security research report.
Share This Article
Follow:
Stephanie is our wordsmith, transforming technical research into engaging content that resonates with users. Her expertise in cybercrime prevention and online safety ensures that Gridinsoft's advice is accessible to everyone—whether they’re tech-savvy or not.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?