FOCUS MODE
EXTRACT IOC
Threat Research

ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery

SekoiaIO
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery
ClearFake is a sophisticated malicious JavaScript framework launched in July 2023, targeting users through fake download prompts and deceptive social engineering tactics. Its latest variant, detected in February 2025, leverages fake CAPTCHA challenges and integrates with the Binance Smart Chain to enable direct malware delivery to compromised systems. The significant update emphasizes a streamlined interaction model, enhancing the framework’s ability to distribute various malware, such as Lumma and Vidar Stealer. Affected: users, websites, systems running Windows and macOS

Keypoints :

  • ClearFake employs malicious JavaScript to deliver malware via compromised websites.
  • The framework initially presented users with fake browser update prompts to install malware.
  • February 2025 variant uses fake reCAPTCHA and Cloudflare verification challenges to deceive victims into executing PowerShell commands.
  • The malware has established interactions with the Binance Smart Chain for enhanced data delivery.
  • ClearFake operators utilize social engineering tactics in multiple languages to target a wide audience.
  • Recent data indicates a substantial number of unique users have been exposed to ClearFake’s lures, revealing its widespread impact.

MITRE Techniques :

  • Tactic: Initial Access | Technique: Drive-by Compromise (T1189) | Procedure: ClearFake injects JavaScript into compromised websites to load malware.
  • Tactic: Execution | Technique: Command and Scripting Interpreter (T1059) | Procedure: Utilizes PowerShell commands to execute malware on compromised systems.
  • Tactic: Persistence | Technique: Scheduled Task/Job (T1053) | Procedure: Formulated PowerShell scripts run automatically, ensuring continuous presence after initial compromise.
  • Tactic: Exfiltration | Technique: Data Encrypted (T1045) | Procedure: Malware uploads sensitive information after execution.
  • Tactic: Command and Control | Technique: Application Layer Protocol (T1071) | Procedure: Communication through smart contracts on the Binance Smart Chain.

Indicator of Compromise :

  • [Domain] hxxps://tour-agency-media.pages[.]dev
  • [Domain] hxxps://start.cleaning-room-device[.]shop
  • [IP Address] 83.217.208[.]130
  • [Wallet Address] 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53
  • [Wallet Address] 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA

Full Story: https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/

Tags: WINDOWS, BROWSER, MACOS, PERSISTENCE, INITIAL ACCESS, MONITOR, EXFILTRATION, SOCIAL ENGINEERING