← feed

redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer

ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer

IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.

confirmed IIM v1.1 ClearFake needs review
Raw JSON
entities5
relations4
techniques2
published2026-05-30 21:31:45

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

domain

<compromised website with injected JS>

IIM-T004
2
redirector

file

injected JavaScript serving fake-CAPTCHA / ClickFix lure

IIM-T015
3
staging

url

<remote payload-retrieval host>

4
payload

file

ACR Stealer (MaaS infostealer)

5
c2

domain

<ACR Stealer C2 endpoint>

Relations

directed infrastructure edges
e1executee2 confirmed
e2downloade3 likely
e3dropse4 likely
e4connecte5 likely

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e1 domain <compromised website with injected JS>
Reporting states ClearFake injects JavaScript into compromised websites to deliver malware via drive-by download techniques.
e2 file injected JavaScript serving fake-CAPTCHA / ClickFix lure
Reporting states ClearFake often uses fake CAPTCHA lures to trick users into executing code via malicious copy-and-paste (paste-and-run, ClickFix, fakeCAPTCHA).
Reporting attributes ClearFake's persistence in the top ranks to the ongoing effectiveness of paste-and-run as an initial execution technique.
e3 url <remote payload-retrieval host>
Reporting states the pasted command retrieves and executes the next-stage payload; the specific retrieval host was not published.
e4 file ACR Stealer (MaaS infostealer)
Reporting states the most recently observed ClearFake payload is ACR Stealer, debuting in the month's top ten.
Reporting describes ACR Stealer as a malware-as-a-service information stealer.
e5 domain <ACR Stealer C2 endpoint>
ACR Stealer operates as MaaS with operator-controlled C2; the specific C2 endpoint was not published in this ranking.

ATT&CK annotations

optional complementary mapping
T1189Drive-by Compromise

Injected JS on compromised sites.

T1204.004User Execution: Malicious Copy and Paste

ClickFix / paste-and-run.

T1059.001Command and Scripting Interpreter: PowerShell

Pasted command typically runs via PowerShell.

T1555Credentials from Password Stores

ACR Stealer harvests stored credentials.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "redcanary.2026.clearfake-clickfix-paste-and-run-acr-stealer",
  "title": "ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer",
  "description": "IIM chain for the ClearFake activity cluster, ranked the most prevalent threat in Red Canary's May 2026 intelligence insights. ClearFake injects JavaScript into compromised websites to deliver malware via drive-by techniques, frequently using fake CAPTCHA lures that trick users into executing code via malicious copy-and-paste (paste-and-run / ClickFix / fakeCAPTCHA). Red Canary reports ClearFake has delivered multiple payloads over time including ArechClient2 and LummaC2, and most recently ACR Stealer, a malware-as-a-service infostealer. The paste-and-run user-execution step is endpoint behaviour and is recorded only under attack_annotations.",
  "actor_id": "ClearFake",
  "observed_at": "2026-05-01T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": true,
  "x_source": {
    "title": "Intelligence Insights: May 2026",
    "publisher": "Red Canary",
    "url": "https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/",
    "published_at": "2026-05",
    "accessed_at": "2026-05-30T00:00:00Z",
    "source_type": "vendor monthly threat-intelligence ranking"
  },
  "x_source_title": "ClearFake JavaScript injection on compromised sites driving fake-CAPTCHA ClickFix paste-and-run to ACR Stealer",
  "x_source_url": "https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/",
  "x_iocs": {
    "activity_cluster": "ClearFake",
    "initial_execution_technique": "paste-and-run / ClickFix / fakeCAPTCHA",
    "delivery_method": "JavaScript injected into compromised websites (drive-by)",
    "current_payload": "ACR Stealer (MaaS infostealer)",
    "historical_payloads": [
      "ArechClient2",
      "LummaC2"
    ]
  },
  "x_limitations": [
    "No specific compromised-site domains, payload-staging URLs, or ACR Stealer C2 addresses were published in the ranking; e1, e3 and e5 values are placeholders.",
    "ClearFake is an activity cluster spanning many sites, not a single campaign; the chain models the canonical flow, not one victim.",
    "ClickFix paste-and-run is ATT&CK user-execution behaviour, not infrastructure.",
    "Whether the secondary payload host is a trusted platform (T006) is plausible but unconfirmed for this period; staging technique left empty."
  ],
  "entities": [
    {
      "id": "e1",
      "type": "domain",
      "value": "<compromised website with injected JS>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "Red Canary Intelligence Insights May 2026",
      "evidence": [
        "Reporting states ClearFake injects JavaScript into compromised websites to deliver malware via drive-by download techniques."
      ],
      "x_placeholder": true,
      "x_chain_stage": "compromised_site_entry"
    },
    {
      "id": "e2",
      "type": "file",
      "value": "injected JavaScript serving fake-CAPTCHA / ClickFix lure",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "Red Canary Intelligence Insights May 2026",
      "evidence": [
        "Reporting states ClearFake often uses fake CAPTCHA lures to trick users into executing code via malicious copy-and-paste (paste-and-run, ClickFix, fakeCAPTCHA).",
        "Reporting attributes ClearFake's persistence in the top ranks to the ongoing effectiveness of paste-and-run as an initial execution technique."
      ],
      "x_chain_stage": "client_side_clickfix_redirector"
    },
    {
      "id": "e3",
      "type": "url",
      "value": "<remote payload-retrieval host>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "Red Canary Intelligence Insights May 2026",
      "evidence": [
        "Reporting states the pasted command retrieves and executes the next-stage payload; the specific retrieval host was not published."
      ],
      "x_placeholder": true,
      "x_chain_stage": "payload_retrieval_staging"
    },
    {
      "id": "e4",
      "type": "file",
      "value": "ACR Stealer (MaaS infostealer)",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "Red Canary Intelligence Insights May 2026",
      "evidence": [
        "Reporting states the most recently observed ClearFake payload is ACR Stealer, debuting in the month's top ten.",
        "Reporting describes ACR Stealer as a malware-as-a-service information stealer."
      ],
      "x_chain_stage": "infostealer_payload"
    },
    {
      "id": "e5",
      "type": "domain",
      "value": "<ACR Stealer C2 endpoint>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "Red Canary Intelligence Insights May 2026",
      "evidence": [
        "ACR Stealer operates as MaaS with operator-controlled C2; the specific C2 endpoint was not published in this ranking."
      ],
      "x_placeholder": true,
      "x_chain_stage": "infostealer_c2"
    }
  ],
  "chain": [
    {
      "entity_id": "e1",
      "role": "entry",
      "techniques": [
        "IIM-T004"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Compromised legitimate websites hosting the injected loader."
    },
    {
      "entity_id": "e2",
      "role": "redirector",
      "techniques": [
        "IIM-T015"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "Client-side JavaScript / fake-CAPTCHA routing and paste-and-run."
    },
    {
      "entity_id": "e3",
      "role": "staging",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "n/a",
      "review_notes": "Payload-retrieval host; substrate not published (T006 plausible if trusted-platform-hosted)."
    },
    {
      "entity_id": "e4",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "n/a",
      "review_notes": "ACR Stealer binary; execution/credential theft is ATT&CK."
    },
    {
      "entity_id": "e5",
      "role": "c2",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "n/a",
      "review_notes": "ACR Stealer C2; endpoint not published."
    }
  ],
  "relations": [
    {
      "from": "e1",
      "to": "e2",
      "type": "execute",
      "sequence_order": 1,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Compromised site serves the injected JavaScript that renders the fake CAPTCHA / ClickFix lure."
      ]
    },
    {
      "from": "e2",
      "to": "e3",
      "type": "download",
      "sequence_order": 2,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "The paste-and-run command retrieves the next-stage payload from a remote host."
      ]
    },
    {
      "from": "e3",
      "to": "e4",
      "type": "drops",
      "sequence_order": 3,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Retrieval stage delivers ACR Stealer."
      ]
    },
    {
      "from": "e4",
      "to": "e5",
      "type": "connect",
      "sequence_order": 4,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "ACR Stealer connects to operator C2 to exfiltrate stolen data."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1189",
      "name": "Drive-by Compromise",
      "tactic": "Initial Access",
      "comment": "Injected JS on compromised sites."
    },
    {
      "technique_id": "T1204.004",
      "name": "User Execution: Malicious Copy and Paste",
      "tactic": "Execution",
      "comment": "ClickFix / paste-and-run."
    },
    {
      "technique_id": "T1059.001",
      "name": "Command and Scripting Interpreter: PowerShell",
      "tactic": "Execution",
      "comment": "Pasted command typically runs via PowerShell."
    },
    {
      "technique_id": "T1555",
      "name": "Credentials from Password Stores",
      "tactic": "Credential Access",
      "comment": "ACR Stealer harvests stored credentials."
    }
  ]
}