redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer
ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer
IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsdomain
<compromised website with injected JS>
file
injected JavaScript serving fake-CAPTCHA / ClickFix lure
url
<remote payload-retrieval host>
file
ACR Stealer (MaaS infostealer)
domain
<ACR Stealer C2 endpoint>
Relations
directed infrastructure edgese1executee2
confirmed
e2downloade3
likely
e3dropse4
likely
e4connecte5
likely
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e1 |
domain | <compromised website with injected JS> |
Reporting states ClearFake injects JavaScript into compromised websites to deliver malware via drive-by download techniques. |
e2 |
file | injected JavaScript serving fake-CAPTCHA / ClickFix lure |
Reporting states ClearFake often uses fake CAPTCHA lures to trick users into executing code via malicious copy-and-paste (paste-and-run, ClickFix, fakeCAPTCHA). Reporting attributes ClearFake's persistence in the top ranks to the ongoing effectiveness of paste-and-run as an initial execution technique. |
e3 |
url | <remote payload-retrieval host> |
Reporting states the pasted command retrieves and executes the next-stage payload; the specific retrieval host was not published. |
e4 |
file | ACR Stealer (MaaS infostealer) |
Reporting states the most recently observed ClearFake payload is ACR Stealer, debuting in the month's top ten. Reporting describes ACR Stealer as a malware-as-a-service information stealer. |
e5 |
domain | <ACR Stealer C2 endpoint> |
ACR Stealer operates as MaaS with operator-controlled C2; the specific C2 endpoint was not published in this ranking. |
ATT&CK annotations
optional complementary mappingInjected JS on compromised sites.
ClickFix / paste-and-run.
Pasted command typically runs via PowerShell.
ACR Stealer harvests stored credentials.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer",
"title": "ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer",
"description": "IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.",
"actor_id": "ClearFake",
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "confirmed",
"needs_review": true,
"x_source": {
"title": "Intelligence Insights: May 2026",
"publisher": "Red Canary",
"url": "https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/",
"published_at": "2026-05",
"accessed_at": "2026-05-30T00:00:00Z",
"source_type": "vendor monthly threat-intelligence ranking"
},
"x_source_title": "ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer",
"x_source_url": "https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/",
"x_iocs": {
"activity_cluster": "ClearFake",
"initial_execution_technique": "paste-and-run / ClickFix / fakeCAPTCHA",
"delivery_method": "JavaScript injected into compromised websites (drive-by)",
"current_payload": "ACR Stealer (MaaS infostealer)",
"historical_payloads": [
"ArechClient2",
"LummaC2"
]
},
"x_limitations": [
"No specific compromised-site domains, payload-staging URLs, or ACR Stealer C2 addresses were published in the ranking; e1, e3 and e5 values are placeholders.",
"ClearFake is an activity cluster spanning many sites, not a single campaign; the chain models the canonical flow, not one victim.",
"ClickFix paste-and-run is ATT&CK user-execution behaviour, not infrastructure.",
"Whether the secondary payload host is a trusted platform (T006) is plausible but unconfirmed for this period; staging technique left empty."
],
"entities": [
{
"id": "e1",
"type": "domain",
"value": "<compromised website with injected JS>",
"observed_at": "2026-05-01T00:00:00Z",
"source": "Red Canary Intelligence Insights May 2026",
"evidence": [
"Reporting states ClearFake injects JavaScript into compromised websites to deliver malware via drive-by download techniques."
],
"x_placeholder": true,
"x_chain_stage": "compromised_site_entry"
},
{
"id": "e2",
"type": "file",
"value": "injected JavaScript serving fake-CAPTCHA / ClickFix lure",
"observed_at": "2026-05-01T00:00:00Z",
"source": "Red Canary Intelligence Insights May 2026",
"evidence": [
"Reporting states ClearFake often uses fake CAPTCHA lures to trick users into executing code via malicious copy-and-paste (paste-and-run, ClickFix, fakeCAPTCHA).",
"Reporting attributes ClearFake's persistence in the top ranks to the ongoing effectiveness of paste-and-run as an initial execution technique."
],
"x_chain_stage": "client_side_clickfix_redirector"
},
{
"id": "e3",
"type": "url",
"value": "<remote payload-retrieval host>",
"observed_at": "2026-05-01T00:00:00Z",
"source": "Red Canary Intelligence Insights May 2026",
"evidence": [
"Reporting states the pasted command retrieves and executes the next-stage payload; the specific retrieval host was not published."
],
"x_placeholder": true,
"x_chain_stage": "payload_retrieval_staging"
},
{
"id": "e4",
"type": "file",
"value": "ACR Stealer (MaaS infostealer)",
"observed_at": "2026-05-01T00:00:00Z",
"source": "Red Canary Intelligence Insights May 2026",
"evidence": [
"Reporting states the most recently observed ClearFake payload is ACR Stealer, debuting in the month's top ten.",
"Reporting describes ACR Stealer as a malware-as-a-service information stealer."
],
"x_chain_stage": "infostealer_payload"
},
{
"id": "e5",
"type": "domain",
"value": "<ACR Stealer C2 endpoint>",
"observed_at": "2026-05-01T00:00:00Z",
"source": "Red Canary Intelligence Insights May 2026",
"evidence": [
"ACR Stealer operates as MaaS with operator-controlled C2; the specific C2 endpoint was not published in this ranking."
],
"x_placeholder": true,
"x_chain_stage": "infostealer_c2"
}
],
"chain": [
{
"entity_id": "e1",
"role": "entry",
"techniques": [
"IIM-T004"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Compromised legitimate websites hosting the injected loader."
},
{
"entity_id": "e2",
"role": "redirector",
"techniques": [
"IIM-T015"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Client-side JavaScript / fake-CAPTCHA routing and paste-and-run."
},
{
"entity_id": "e3",
"role": "staging",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "n/a",
"review_notes": "Payload-retrieval host; substrate not published (T006 plausible if trusted-platform-hosted)."
},
{
"entity_id": "e4",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "n/a",
"review_notes": "ACR Stealer binary; execution/credential theft is ATT&CK."
},
{
"entity_id": "e5",
"role": "c2",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "n/a",
"review_notes": "ACR Stealer C2; endpoint not published."
}
],
"relations": [
{
"from": "e1",
"to": "e2",
"type": "execute",
"sequence_order": 1,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Compromised site serves the injected JavaScript that renders the fake CAPTCHA / ClickFix lure."
]
},
{
"from": "e2",
"to": "e3",
"type": "download",
"sequence_order": 2,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"The paste-and-run command retrieves the next-stage payload from a remote host."
]
},
{
"from": "e3",
"to": "e4",
"type": "drops",
"sequence_order": 3,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"Retrieval stage delivers ACR Stealer."
]
},
{
"from": "e4",
"to": "e5",
"type": "connect",
"sequence_order": 4,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"ACR Stealer connects to operator C2 to exfiltrate stolen data."
]
}
],
"attack_annotations": [
{
"technique_id": "T1189",
"name": "Drive-by Compromise",
"tactic": "Initial Access",
"comment": "Injected JS on compromised sites."
},
{
"technique_id": "T1204.004",
"name": "User Execution: Malicious Copy and Paste",
"tactic": "Execution",
"comment": "ClickFix / paste-and-run."
},
{
"technique_id": "T1059.001",
"name": "Command and Scripting Interpreter: PowerShell",
"tactic": "Execution",
"comment": "Pasted command typically runs via PowerShell."
},
{
"technique_id": "T1555",
"name": "Credentials from Password Stores",
"tactic": "Credential Access",
"comment": "ACR Stealer harvests stored credentials."
}
]
}