{
  "iim_version": "1.1",
  "chain_id": "redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer",
  "title": "ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer",
  "description": "IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.",
  "actor_id": "ClearFake",
  "observed_at": "2026-05-01T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": true,
  "x_source": {
    "title": "Intelligence Insights: May 2026",
    "publisher": "Red Canary",
    "url": "https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/",
    "published_at": "2026-05",
    "accessed_at": "2026-05-30T00:00:00Z",
    "source_type": "vendor monthly threat-intelligence ranking"
  },
  "x_source_title": "ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer",
  "x_source_url": "https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/",
  "x_iocs": {
    "activity_cluster": "ClearFake",
    "initial_execution_technique": "paste-and-run / ClickFix / fakeCAPTCHA",
    "delivery_method": "JavaScript injected into compromised websites (drive-by)",
    "current_payload": "ACR Stealer (MaaS infostealer)",
    "historical_payloads": [
      "ArechClient2",
      "LummaC2"
    ]
  },
  "x_limitations": [
    "No specific compromised-site domains, payload-staging URLs, or ACR Stealer C2 addresses were published in the ranking; e1, e3 and e5 values are placeholders.",
    "ClearFake is an activity cluster spanning many sites, not a single campaign; the chain models the canonical flow, not one victim.",
    "ClickFix paste-and-run is ATT&CK user-execution behaviour, not infrastructure.",
    "Whether the secondary payload host is a trusted platform (T006) is plausible but unconfirmed for this period; staging technique left empty."
  ],
  "entities": [
    {
      "id": "e1",
      "type": "domain",
      "value": "<compromised website with injected JS>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "Red Canary Intelligence Insights May 2026",
      "evidence": [
        "Reporting states ClearFake injects JavaScript into compromised websites to deliver malware via drive-by download techniques."
      ],
      "x_placeholder": true,
      "x_chain_stage": "compromised_site_entry"
    },
    {
      "id": "e2",
      "type": "file",
      "value": "injected JavaScript serving fake-CAPTCHA / ClickFix lure",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "Red Canary Intelligence Insights May 2026",
      "evidence": [
        "Reporting states ClearFake often uses fake CAPTCHA lures to trick users into executing code via malicious copy-and-paste (paste-and-run, ClickFix, fakeCAPTCHA).",
        "Reporting attributes ClearFake's persistence in the top ranks to the ongoing effectiveness of paste-and-run as an initial execution technique."
      ],
      "x_chain_stage": "client_side_clickfix_redirector"
    },
    {
      "id": "e3",
      "type": "url",
      "value": "<remote payload-retrieval host>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "Red Canary Intelligence Insights May 2026",
      "evidence": [
        "Reporting states the pasted command retrieves and executes the next-stage payload; the specific retrieval host was not published."
      ],
      "x_placeholder": true,
      "x_chain_stage": "payload_retrieval_staging"
    },
    {
      "id": "e4",
      "type": "file",
      "value": "ACR Stealer (MaaS infostealer)",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "Red Canary Intelligence Insights May 2026",
      "evidence": [
        "Reporting states the most recently observed ClearFake payload is ACR Stealer, debuting in the month's top ten.",
        "Reporting describes ACR Stealer as a malware-as-a-service information stealer."
      ],
      "x_chain_stage": "infostealer_payload"
    },
    {
      "id": "e5",
      "type": "domain",
      "value": "<ACR Stealer C2 endpoint>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "Red Canary Intelligence Insights May 2026",
      "evidence": [
        "ACR Stealer operates as MaaS with operator-controlled C2; the specific C2 endpoint was not published in this ranking."
      ],
      "x_placeholder": true,
      "x_chain_stage": "infostealer_c2"
    }
  ],
  "chain": [
    {
      "entity_id": "e1",
      "role": "entry",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Compromised legitimate websites hosting the injected loader."
    },
    {
      "entity_id": "e2",
      "role": "redirector",
      "techniques": [
        "IIM-T015"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Client-side JavaScript / fake-CAPTCHA routing and paste-and-run."
    },
    {
      "entity_id": "e3",
      "role": "staging",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "n/a",
      "review_notes": "Payload-retrieval host; substrate not published (T006 plausible if trusted-platform-hosted)."
    },
    {
      "entity_id": "e4",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "n/a",
      "review_notes": "ACR Stealer binary; execution/credential theft is ATT&CK."
    },
    {
      "entity_id": "e5",
      "role": "c2",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "n/a",
      "review_notes": "ACR Stealer C2; endpoint not published."
    }
  ],
  "relations": [
    {
      "from": "e1",
      "to": "e2",
      "type": "execute",
      "sequence_order": 1,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Compromised site serves the injected JavaScript that renders the fake CAPTCHA / ClickFix lure."
      ]
    },
    {
      "from": "e2",
      "to": "e3",
      "type": "download",
      "sequence_order": 2,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "The paste-and-run command retrieves the next-stage payload from a remote host."
      ]
    },
    {
      "from": "e3",
      "to": "e4",
      "type": "drops",
      "sequence_order": 3,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Retrieval stage delivers ACR Stealer."
      ]
    },
    {
      "from": "e4",
      "to": "e5",
      "type": "connect",
      "sequence_order": 4,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "ACR Stealer connects to operator C2 to exfiltrate stolen data."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1189",
      "name": "Drive-by Compromise",
      "tactic": "Initial Access",
      "comment": "Injected JS on compromised sites."
    },
    {
      "technique_id": "T1204.004",
      "name": "User Execution: Malicious Copy and Paste",
      "tactic": "Execution",
      "comment": "ClickFix / paste-and-run."
    },
    {
      "technique_id": "T1059.001",
      "name": "Command and Scripting Interpreter: PowerShell",
      "tactic": "Execution",
      "comment": "Pasted command typically runs via PowerShell."
    },
    {
      "technique_id": "T1555",
      "name": "Credentials from Password Stores",
      "tactic": "Credential Access",
      "comment": "ACR Stealer harvests stored credentials."
    }
  ]
}