Find notable cyber news and cases, enriched with sources, timelines, and signals.

ACR Stealer browser credential and document theft activity

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

The ACR Stealer malware is actively stealing browser passwords, session tokens, and Microsoft 365 files from enterprise environments, turning ClickFix-style paste-and-run lures into credential and document theft. The activity spans late April to mid-June 2026 and uses both fileless and on-disk loader chains. Microsoft says the malware does not rely on a CVE and instead succeeds when a user pastes a command into the Run dialog.

Related Happenings

ClickLock Stealer macOS forced-interaction infostealer activity

Malware Activity
H score27 First: 16.07.2026 15:33 Last: 16.07.2026 15:33 Sources 1

About this happening: ClickLock Stealer is a macOS information-stealing malware that uses a ClickFix-style paste into Terminal and a fake system dialog to coerce users into entering the...

USB-spreading clipboard-stealing malware targeting cryptocurrency wallets

Malware Activity
H score27 First: 18.06.2026 19:20 Last: 18.06.2026 19:20 Sources 1

About this happening: A USB-spreading clipboard-stealing malware family is actively stealing seed phrases, private keys, and wallet addresses from Windows victims, putting cryptocurrenc...

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
H score38 First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The Vidar Stealer campaign is using ClickFix social engineering and compromised WordPress sites to deliver password-stealing malware, widening risk for infrastructur...

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
H score29 First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The Venom Stealer malware-as-a-service platform has been identified as a credential-theft threat that keeps exfiltrating data after infection, extending the window for...

Torg Grabber browser-extension theft activity

Malware Activity
H score36 First: 25.03.2026 20:32 Last: 25.03.2026 20:32 Sources 1

About this happening: The Torg Grabber infostealer is actively stealing data from 850 browser extensions, including 728 cryptocurrency wallet extensions, which raises the risk of account ta...

Timeline

  1. 17.07.2026 11:56 2 articles · 3h ago

    Microsoft details ACR Stealer ClickFix theft chains targeting browser credentials and Microsoft 365 files

    Technical Analysis Update

    Microsoft said Defender Experts observed ACR Stealer activity climb across customer environments from late April to mid-June 2026, with campaigns using ClickFix lures to steal browser credentials, authentication tokens, and sensitive documents. The report described a fileless chain that spawns mshta.exe, uses an embedded VBScript loader and PowerShell to run payloads in memory, and can extract code from a JPEG, plus a disk-based chain that pulls a DLL from a WebDAV share, hides execution with conhost.exe --headless, and drops a ZIP and pythonw.exe loader. Microsoft also said neither chain exploits a vulnerability and advised victims to revoke tokens and rotate credentials.

    Show sources