ClearFake Malware Framework: Latest Variant Analysis and Mitigation Strategies

Overview

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA and Cloudflare Turnstile challenges to deceive users into executing malicious PowerShell commands. This evolution marks a significant escalation in the threat’s capabilities, as it continues to exploit Web3 technologies for malware delivery.

Evolution of ClearFake

ClearFake, first detected in July 2023, initially used JavaScript injections on compromised websites to trick users into downloading fake browser updates. However, by December 2024, it had evolved to incorporate:

  • Fake reCAPTCHA and Cloudflare Turnstile verifications to add legitimacy to phishing pages.

  • Web3 integration, using smart contracts on the Binance Smart Chain (BSC) to store obfuscated JavaScript and PowerShell commands.

  • ClickFix Lure, a deceptive tactic that presents users with error messages prompting them to execute commands in the Windows Run dialog.

  • Emmenhtal Loader & Lumma Stealer as payloads, designed to steal sensitive user data.

Attack Chain

  1. Compromised Websites: Malicious JavaScript is injected into legitimate websites.

  2. Fake Security Challenges: Users are presented with fraudulent Cloudflare Turnstile or reCAPTCHA verifications.

  3. ClickFix Deception: If the verification fails, users are shown error messages suggesting they need to execute a PowerShell command.

  4. Binance Smart Chain Fetch: The PowerShell command retrieves obfuscated scripts from smart contracts stored on the BSC.

  5. Payload Deployment: The downloaded scripts execute further malware, such as Emmenhtal Loader, which installs Lumma Stealer.

Notable Technical Features

  • Use of Blockchain: Malicious payloads and obfuscated scripts are stored on Binance Smart Chain, making takedown efforts challenging.

  • PowerShell-Based Execution: The attack relies on obfuscated PowerShell scripts to bypass traditional security mechanisms.

  • Decentralized Malware Hosting: Hosting lure HTML files on Cloudflare Pages makes the attack infrastructure resilient.

Mitigation Strategies

For Users:

  • Do not run commands from error messages: Legitimate security verifications never require manual execution of commands.

  • Use an updated web browser and security extensions: Anti-phishing and ad-blocking tools can help detect suspicious web content.

  • Inspect URLs carefully: Hover over links and ensure they are from legitimate sources. Even URLs which appear correct may not be, malicious operators have been defeating this for years, quite easily.

For Organizations:

  • Network Monitoring: Look for outbound requests to Binance Smart Chain and suspicious PowerShell executions.

  • Disable Unnecessary PowerShell Execution: Implement PowerShell Constrained Language Mode or remove execution rights for non-administrators.

  • Threat Intelligence Feeds: Regularly update IoC lists, including compromised URLs and wallet addresses associated with ClearFake.

  • Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting and blocking obfuscated script execution.

Conclusion

The ClearFake malware framework continues to evolve, leveraging sophisticated deception tactics and blockchain-based infrastructure to distribute malware. Organizations and individuals must remain vigilant, implementing robust security controls to detect and prevent infections. Sekoia.io and other cybersecurity researchers are actively monitoring ClearFake for further developments.

For the latest IoCs and compromised URLs, refer to Sekoia-IO's Community GitHub repository.

Popular posts from this blog

The IT Security Chronicles: A Comedy of Errors and Exploits

In the world of IT security, every day feels like an action-packed thriller where cybercriminals play the villains, security teams are the reluctant heroes, and vulnerabilities are the ever-revolving doors that keep letting the bad guys in. Today, we bring you a trio of cyber disasters, each with a painful lesson wrapped in a layer of dark humor. Episode 1: Tomcat’s Wild Ride Our first tale features none other than Apache Tomcat, the beloved open-source web server and the latest victim of a classic security nightmare. CVE-2025-24813 made its grand entrance, allowing attackers to execute remote code or expose sensitive files if the right (or in this case, wrong) conditions were met. The exploit is laughably simple: upload a serialized Java session file via a PUT request, then trigger deserialization with a GET request. It’s as if Tomcat took cybersecurity advice from a soap opera villain—"Just leave the back door open, and no one will notice!" Lesson for IT pros? If your syste...
Read more

The Case of the Leaky GitHub Action: A Cautionary Tale for Security Pros

Once upon a time in the mystical land of GitHub, where developers roam free and repositories grow wild, there lived a popular GitHub Action known as tj-actions/changed-files . It was beloved by many, faithfully detecting which files had changed in pull requests and commits. But, as with all great tales, darkness lurked in the shadows. One day, a nefarious actor slipped through the gates, embedding a malicious payload into the very core of tj-actions/changed-files. And just like that, the keys to the kingdom—secrets including access tokens, private RSA keys, and npm tokens—were exposed in logs for all the world to see. It was like leaving your house key under the welcome mat, only to broadcast the address on national television. Act I: The Discovery Step Security was the first to spot the trouble, raising the alarm that CVE-2025-30066 had been born. This wasn't just your everyday bug—this was a full-blown supply chain compromise. Soon, CISA added it to its infamous Known Exploited...
Read more