Intelligence Insights: May 2026

Monthly highlights: ClearFake—an activity cluster delivering malware via JavaScript-injected drive-by downloads and fake CAPTCHA paste-and-run lures—rises to the top of the prevalence list, delivering payloads including ArechClient2, LummaC2 and the newly observed ACR Stealer. GraphRunner and OAuth device code abuse are increasing as adversaries exploit Microsoft Graph and device authentication grants (also offered via PhaaS like Kali365/EvilTokens) to bypass MFA and exfiltrate data; recommended mitigations include blocking device code flows, limiting device join permissions, and enabling continuous access evaluation.