Actor
Microsoft Defender Experts observed increased ACR Stealer activity from late April to mid-June 2026, using ClickFix social engineering lures in two distinct campaigns to steal browser credentials, authentication tokens, and sensitive documents from enterprise environments via WebDAV-based Python loaders or MSHTA-initiated PowerShell with steganography.