Executive Summary
In May 2026, multiple sophisticated cyber threats emerged, notably the ClearFake campaign, which utilized advanced web injection techniques to deploy the Amatera Stealer malware. This malware, an evolution of the ACR Stealer, was distributed through deceptive methods such as EtherHiding and ClickFix, leading to significant data exfiltration. Additionally, the GraphRunner malware debuted, exploiting vulnerabilities in cloud services to execute unauthorized code, posing substantial risks to cloud infrastructure security.
These incidents underscore a concerning trend: cybercriminals are increasingly leveraging complex, multi-stage attacks that combine social engineering with technical exploits. The rise of such sophisticated malware campaigns highlights the urgent need for organizations to enhance their cybersecurity measures and remain vigilant against evolving threats.
Why This Matters Now
The emergence of advanced malware like Amatera Stealer and GraphRunner signifies a shift towards more complex cyberattack methodologies, emphasizing the necessity for organizations to adopt comprehensive security strategies to mitigate these evolving threats.
Attack Path Analysis
The attack began with users visiting compromised websites, leading to the execution of malicious JavaScript that presented fake reCAPTCHA prompts. Upon interaction, users were tricked into downloading and executing malicious payloads, resulting in the installation of Amatera Stealer. The malware established command and control channels using NTSockets, allowing attackers to exfiltrate sensitive data. The final impact included unauthorized access to personal information and potential financial loss.
Kill Chain Progression
Initial Compromise
Description
Users visited compromised websites that executed malicious JavaScript, presenting fake reCAPTCHA prompts to initiate the attack.
Related CVEs
CVE-2024-21412
CVSS 8.1A security feature bypass vulnerability in Microsoft Windows SmartScreen allows attackers to evade security warnings, potentially leading to the execution of malicious code.
Affected Products:
Microsoft Windows – 10, 11
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Drive-by Compromise
Command and Scripting Interpreter: PowerShell
Application Layer Protocol: Web Protocols
Credentials from Password Stores: Credentials from Web Browsers
Archive Collected Data: Archive via Utility
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User and Device Authentication
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
ClearFake campaigns and ACR Stealer directly threaten banking credentials and financial data through advanced social engineering and credential harvesting attacks.
Information Technology/IT
GraphRunner's cloud infrastructure targeting and multi-stage attack vectors pose significant risks to IT service providers and their client environments.
Health Care / Life Sciences
HIPAA compliance violations likely from encrypted traffic threats and lateral movement capabilities targeting sensitive patient data and medical systems.
Government Administration
Salt Typhoon references and zero trust segmentation requirements indicate nation-state targeting of government networks and critical infrastructure systems.
Sources
- Intelligence Insights: May 2026https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2026/Verified
- Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophisticationhttps://www.proofpoint.com/uk/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophisticationVerified
- Amatera Stealerhttps://www.broadcom.com/support/security-center/protection-bulletin/amatera-stealerVerified
- ClearFake Infects 9,300 Sites, Uses Fake reCAPTCHA and Turnstile to Spread Info-Stealershttps://thehackernews.com/2025/03/clearfake-infects-9300-sites-uses-fake.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF would likely limit the attacker's ability to exploit compromised websites by enforcing strict segmentation and controlled egress policies.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing strict access controls and segmentation policies.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely limit the attacker's ability to move laterally by enforcing strict segmentation and monitoring east-west traffic.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely limit the attacker's ability to establish command and control channels by providing comprehensive visibility and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by enforcing strict egress policies and monitoring outbound traffic.
The implementation of Aviatrix Zero Trust CNSF would likely reduce the scope of unauthorized access and potential financial loss by limiting the attacker's ability to exfiltrate data.
Impact at a Glance
Affected Business Functions
- Website Operations
- User Authentication
- Data Security
Estimated downtime: 7 days
Estimated loss: $500,000
User credentials and personal information from compromised websites.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Egress Security & Policy Enforcement to restrict unauthorized outbound traffic and prevent data exfiltration.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to malicious activities promptly.
- • Utilize Zero Trust Segmentation to limit lateral movement within the network and contain potential breaches.
- • Ensure Encrypted Traffic (HPE) to protect data in transit and prevent interception by malicious actors.
- • Enhance Multicloud Visibility & Control to monitor and manage security across all cloud environments effectively.
