OCRFix

OCRFix is a Windows malware/botnet family delivered via ClickFix-style social engineering (fake CAPTCHA/verification pages) that tricks users into pasting clipboard-staged commands (PowerShell or Windows Run) to bootstrap execution and install an MSI dropper. Multiple reports in the provided content describe OCRFix using “EtherHiding”/blockchain-based C2 resolution: infected hosts query smart contracts on BNB Smart Chain (including BSC testnet in several described cases) via JSON-RPC (eth_call / ERC20 name() or a custom getter selector) at runtime to retrieve encrypted or plaintext C2 URLs, enabling rapid C2 rotation by updating on-chain data without changing binaries.

Two distinct but similarly branded OCRFix activity descriptions are present:

1. Three-stage VBScript botnet (ClickFix + BSC testnet smart contracts):

• Payloads are VBScript compiled with VBSEdit and heavily obfuscated (Chr()/CLng()/Xor/arithmetic).
• Stage 1 (“Update1”) acts as a downloader; Stage 2 (“setup_helper”) performs UAC elevation prompting, adds Microsoft Defender exclusions, and establishes persistence via scheduled tasks; Stage 3 (“CfgHelper”) is a command-executing bot with ~60-second check-ins and supports command execution and download/execute tasking (including regsvr32 execution for DLLs and use of a bundled legitimate WinRAR for archive extraction).
• C2/panel endpoints are resolved from BSC testnet smart contracts at runtime. Identified contract addresses include 0x7a09296149Ad75745d805CFc4ce215573b442F90 (Stage 1), 0xDd3BD9879E5a3BB6C6B0eB193c99418E5c8Ba6c9 (Stage 2), and 0xaC72Bf7B66411463533F2a5bBc613e6083F82098 (Stage 3). The malware posts JSON-RPC to public BSC testnet endpoints (e.g., bsc-testnet.publicnode.com, bsc-testnet-dataseed.bnbchain.org, bsc-testnet.drpc.org) and uses selector 0xe2d84e23 to retrieve a stored URL.
• Example resolved URLs (as of 2026-03-03) include https://gamepinxjzr.com/data.php, /test.php, and /helpU.php.
• Reported infrastructure includes a Netherlands-hosted loader server (107.189.26.225) serving ClickFix lures across many domains, and Cloudflare-proxied C2 backends.
• One report notes Russian-language indicators (e.g., Cyrillic comments in panel source) and UTC+3 alignment, but attribution is not confirmed.

2. A longer multi-stage chain culminating in an in-memory native backdoor (“HellsUchecker”) with blockchain-retrieved configuration:

• Described as a 10-stage chain starting from a ClickFix lure (fake Cloudflare Turnstile CAPTCHA) that clipboard-hijacks a command; the command uses the Windows LOLBin finger.exe to query finger.cldvrfd.click (and backup on.cldvrfd.click) over port 79 to retrieve batch commands that download a Python embed package and run a Python loader, which ultimately drops and executes an MSI (manager.msi; SHA256 6373eec0482f5b98f127967135937fca60e5a497befb51cb1267fa402063095d).
• A BAT/MSBuild polyglot reflectively loads a 6.5 MB .NET “EtherHiding” loader that queries smart contracts on BNB Smart Chain and Avalanche using the ERC20 name() selector (0x06fdde03) to obtain encrypted C2 configuration. One identified contract address is 0x328A1faDff154290F0Ce1389a4E633698CDfdAa7; decrypted configuration reportedly included C2 hosts such as https://more-arpc.icu and https://rpcsecnoweb.pro.
• Anti-analysis includes 26 checks with geofencing of 11 CIS countries; creating C:\Nintendo bypasses the checks and decoy noise-traffic threads.
• Persistence includes copying a BAT polyglot to cache-like paths (e.g., CacheManager.bat), setting Hidden/System attributes, timestomping, and creating a Startup .lnk.
• Injection uses Hell’s Gate-style direct syscalls (NtCreateSection/NtMapViewOfSection). The final 28 KB x64 backdoor is decrypted/decompressed and manually loaded in memory (not written to disk), and communicates via HTTPS POST to https://rec.allthe.site/chk using a JSON-RPC-like format with User-Agent “myApp v1.0”, supporting host fingerprinting and download-and-execute tasking.

Infection vectors and lures mentioned include typosquatting/impersonation of Tesseract OCR, SEO poisoning, a YouTube video promoting the fake instructions, and claims of “LLM poisoning” where ChatGPT recommended the malicious site. Known network/IOC details explicitly mentioned in the content include: h01-captcha.sbs; finger.cldvrfd.click / on.cldvrfd.click (port 79) and 178.16.52.168; vrf.cldvrfd.click; opsecdefcloud[.]com (serving 98166e51.msi); ldture[.]com (panel); BSC testnet JSON-RPC endpoints; the smart contract addresses listed above; and final-stage endpoint rec.allthe.site/chk.