ClickFix: How ACR Stealer Bypasses Defenses Using Human Error
In the cybersecurity world, we spend a lot of time talking about sophisticated zero-day exploits and complex code vulnerabilities. But what happens when the malware doesn’t need to hack your computer, because it can just convince you to do it? Enter ACR Stealer, a highly effective infostealer that is currently wreaking havoc on enterprise networks without exploiting a single software bug.
The Attack Vector: Copy, Paste, Compromise ACR Stealer (which researchers believe might be a rebranded version of the Amatera or GrMsk stealer) targets saved browser passwords, live session tokens, and sensitive Microsoft 365 and SharePoint documents. But its delivery method is what makes it so insidious. It relies on “ClickFix” lures—highly convincing social engineering tactics like fake CAPTCHA verifications, malicious Google ads, or pages impersonating popular AI assistants like Anthropic’s Claude.
These deceptive pages instruct the user to resolve an “error” by copying a command, opening the Windows “Run” dialog box, and pasting it in. The moment the user hits Enter, the game is over.
Hiding in the Pixels Microsoft’s Defender Experts recently highlighted two primary attack chains used by this malware. The most fascinating one is entirely “fileless.” Once the user runs the command, a script reaches out to an image-hosting service and downloads what appears to be a standard JPEG image. However, the malicious payload is actually hidden inside the pixels of the image using steganography. The script carves out the payload, decrypts it in the system’s memory, and immediately begins scraping Chrome and Edge databases for cookies and DPAPI-encrypted passwords.
Another variant utilizes a technique called EtherHiding, where the malware reaches out to public blockchain infrastructure to retrieve its command-and-control (C2) instructions, making it incredibly difficult for authorities to take down the attackers’ servers.
How to Defend Against It Because this attack bypasses traditional software vulnerabilities, patching isn’t the solution. Network defenders need to restrict access to the Windows Run prompt via Group Policy (GPO) and block unnecessary built-in executables like mshta.exe using AppLocker. Most importantly, if an employee falls for this trick, simply changing their password isn’t enough; security teams must actively revoke their session tokens, as ACR Stealer specializes in bypassing multi-factor authentication (MFA) by stealing active browser sessions.
