ACR Stealer, ClickFix, and why the Run box still works
Microsoft's Defender Experts detailed two ACR Stealer chains Thursday. Both start with a Run-dialog paste — and walk out with browser tokens and M365 files.
Microsoft’s Defender Experts team on Thursday published a breakdown of two active delivery chains for ACR Stealer — an infostealer in circulation since 2024, previously sold on Russian-speaking forums under the handle SheldIO and also tracked as AcridRain and Amatera — that between them are walking out of enterprise networks with saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders. One chain runs fileless in memory. The other leaves traces on disk. Both begin, per Microsoft, with a user pasting a command into the Windows Run dialog and pressing Enter.
Microsoft shipped three Defender XDR hunting queries and sixteen campaign domains along with the writeup. SANS Internet Storm Center handler Brad Duncan documented a Windows infection on May 26 driven by a Claude AI impersonation lure that fits the same pattern; the Hacker News writeup links Duncan’s material to Microsoft’s newer campaign infrastructure directly. What ACR Stealer targets on the host is the boring, useful stuff — Chrome and Edge Login Data and Web Data databases, PDFs sitting on the Desktop and in Downloads, and the two OneDrive/SharePoint sync roots. Nothing exotic. Nothing that needs a kernel bug or a firmware trick. A running user account with browser sessions and a synced Microsoft 365 folder is the payload.
Analysis: patching does not remove the paste-and-run path
Analysis, not incident reporting. What follows is a reading of Microsoft’s writeup and Duncan’s May diary, not new field observation of my own.
There is no CVE in this story. The article says so directly — “patching does not remove the paste-and-run path” — and that line is worth sitting with, because it is the reason a two-year-old infostealer is still moving M365 files in July 2026. ACR Stealer does not need a browser bug. It does not need a Windows bug. It needs a person to see a page that asks them to open a Run dialog, paste a string, and press Enter. That is the entire chain up to code execution. Every other technical component — the fileless variant, the disk-touching variant, the sixteen infrastructure domains, the campaign lures dressed up as fake CAPTCHAs or as Claude — is downstream of a decision the user made in about four seconds.
The pattern is old. Word-macro warnings in the late nineties, Office document “enable content” prompts through the 2000s, “run this PowerShell one-liner to fix your printer” support-scam variants through the 2010s, the entire ClickFix family since roughly 2024 — the wrapping paper keeps changing and the mechanism does not. You do not have to breach anything if the user will execute code you handed them. It has been the fastest working path into a Windows environment for the better part of thirty years, and every wave of it gets rediscovered by whichever platform is currently ambient enough for a novice to trust a page it renders. Right now the ambient platform is a chatbot’s front door, so the lures dress up as chatbots.
The interesting bit in Microsoft’s writeup is not the malware. Amatera and its predecessors have been documented in reasonable depth since SheldIO’s shop got taken offline in July 2024 and the codebase quietly changed hands. The interesting bit is that Microsoft’s own defensive prescription pointedly does not include “wait for a patch.” It includes removing the Run prompt via Group Policy, blocking mshta.exe via AppLocker or WDAC, and controlling which processes are allowed to launch content pulled from the internet — the same short list defenders have been writing on the same whiteboard for a decade. None of those controls are new. All of them are still, in most environments, unfinished business.
What to do about it
For anyone actually running a Windows fleet: the Defender Experts writeup is worth pulling the three XDR hunting queries out of directly and running them against the last thirty days, on the working assumption that if the lures work as well as Microsoft says they do, some of your users have already tried them. Rotate credentials and revoke session tokens on anything that flags. The sixteen campaign domains are worth pushing into your DNS blocklist regardless. And if the Run box has never been removed via Group Policy in your environment because “somebody might need it” — the counter-argument is roughly the two paragraphs above.
The CISA-published guidance on social-engineering defense is the boring version of the same story. It has been the boring version for a long time. That is not a criticism. Some of the most load-bearing controls in this discipline are exactly this unglamorous, and stay unglamorous for the same reason the paste-and-run technique stays effective — nobody is under external pressure to close either one until they are already inside the story.
Found this useful? Share it.


