SHOW NOTES

In this episode of SecOps Weekly, Senior Threat Intelligence Analyst Stef Rand joins Keith McCammon to share the May 2026 Intelligence Insights.

The live discussion covers how ClearFake, a malicious JavaScript injection cluster, has risen to become the #1 threat, primarily using fake CAPTCHA and ‘paste and run’ techniques to distribute malware.

A significant focus is also placed on ACR Stealer, a Windows-based credential theft malware being delivered through ClearFake campaigns that often masquerade as legitimate software like Claude AI downloads.

The discussion includes technical analysis of how ACR Stealer uses memory execution and network shares to avoid detection and introduces GraphRunner, a dual-use toolkit being exploited in OAuth device code phishing campaigns, representing an emerging trend in identity-based attacks. Throughout the session, Keith and Stef analyze attack techniques, provide technical insights into malware delivery mechanisms, and discuss the evolution of social engineering lures that target tech-savvy users.

TIMESTAMPS

• 00:00 – Intro
• 01:15 – Welcome to SecOps Weekly
• 02:05 -May Intelligence Insights
• 03:26 – Odds and ends: Risers, fallers, and other observations
• 05:50 – Remember ClearFake?
• 09:00 – All about ACR Stealer
• 11:22 – Example ACR Stealer deliver and execution
• 24:00 – GraphRunner & device code phishing campaigns