ClearFake and the Evolution of Browser-Native C2 How ClearFake turns JavaScript into a browser-resident implant with blockchain-backed indirection.

Browser-native C2 is no longer theoretical.

ClearFake shows how JavaScript, content delivery, and smart contract lookups can replace beaconing malware entirely. No binaries. No callbacks.

blackcastle.com.au/blog/clearfa...

#ClearFake #C2 #LOTL #BrowserSecurity #ThreatResearch #MalwareAnalysis

🚨Spotting Stealthy #CLEARFAKE Campaign!!

With following #Powershell Command Snippet, I was able to pull some fresh cases of ClearFake!

"POwErsHeLL -w 1 &"

IP
83.219.248.37
172.67.202.94
172.67.219.189
199.188.201.106
83.219.248.37
172.67.132.82
172.67.202.94

github.com/TheRavenFile...

ClickFix Malware Campaign Exploits CAPTCHAs to Spread Cross-Platform Infections

⚠️ ClickFix malware campaign replaces ClearFake — no downloads, just fake CAPTCHAs + clipboard hijacks.

☑️ Uses Google Scripts
☑️ Cross-platform (Win/macOS)
☑️ Obfuscated JS payloads in legit sources

Guardio Labs: “A chilling list of techniques…”
#ClickFix #Malware #CAPTCHAgeddon #Phishing #ClearFake

Captchageddon evolve la minaccia ClickFix con fake captcha che attivano malware stealer via clipboard, eludendo download e antivirus.

#browser #Captchageddon #ClearFake #ClickFix #fakecaptcha #Guardio #malware #stealer
www.matricedigitale.it/2025/08/06/c...

**Overview** Threat actors have been utilizing various techniques and channels to evade tracking and blocking of their Command and Control (C&C) infrastructures. For example, they use Fast-Flux to rapidly change IP addresses and maintain domains, Bulletproof Hosting to use infrastructures located in countries where legal measures are difficult, and public platforms such as Telegram, Pastebin, and Twitter. Recently, there have been cases of threat actors utilizing the anonymity and censorship resistance of blockchain technology. This post will examine Etherhide, a technique that uses smart contracts as C&C infrastructures, and introduce cases of its abuse. **What Is the Etherhide Technique?** Etherhide operates by inserting arbitrary payloads into smart contracts on the Ethereum blockchain, which are then called from and executed externally. **Figure 1. Operation of Etherhide** Threat actors can utilize various blockchain networks such as Binance Smart Chain or the Sepolia testnet, allowing them to maintain a high level of anonymity. Additionally, due to the nature of blockchain, the inserted payload is not deleted or blocked, enabling threat actors to access it stably and continuously. Unlike the conventional malware distribution method that relies on web servers or domains, Etherhide uses the blockchain network itself as its infrastructure, making it difficult to respond to the threat using existing tracking and blocking methods. Generally, a gas fee is incurred when interacting with a blockchain network. However, in the Etherhide technique, after inserting the payload, there is no gas fee incurred during the distribution process. This is because the Etherhide technique uses the Ethereum API method ‘eth_call’ to query the payload inserted into the contract. The ‘eth_call’ method executes smart contract functions without changing the state, without creating a transaction on the blockchain. It is commonly used for calling read-only smart contract functions, and it can be used to query the payload without a gas fee. Table 1 shows examples of parameters used when calling the ‘eth_sendTransaction’ method where transactions occur and the ‘eth_call’ method where transactions do not occur. The gas parameter of the ‘eth_sendTransaction’ method represents the gas to be provided to execute the transaction, and any unused gas is returned. On the other hand, the ‘eth_call’ method does not trigger a transaction, so there is no need to specify the gas parameter separately. method : eth_sendTransaction | method : eth_call ---|--- params: [ { to: “0x***60cf90B0C6D0220023402AC11E1CA7D0f6***”, from: “0x***00BbE1A20dA4d474666B79a5fa6CE12629***”, gas: “0x76c0”, value: “0x16345785d8a0000”, data: “0x”, gasPrice: “0x4a817c800” } ] | params: [ { to: “0x***8567B4CB5DEcbFE28be25b64Fd36e225aA***”, data: “0x2cae8ae4” } ] **Table 1. Comparison of parameters of Ethereum API methods** Even when using testnets like Sepolia, transactions such as contract deployment and payload updates do not cost any actual fees because they all use test Ethereum tokens. **Accessing Etherhide payload** Figure 2. Log of the transaction requested when inserting a payload into the contract **Figure 2. Transaction log** Figure 3 shows the result of analyzing the data in a structured format. The first 4 bytes are the method identifier, and the next 32 bytes are the offset that indicates the position where the payload begins. The following 32 bytes represent the length of the payload, and after this, the actual payload data follows based on the offset and length information. **Figure 3. Parsing data** If the string ‘alert(“Attack payload executed!”);’ is encoded in Base64 and inserted as the payload of the contract, the data returned upon querying this is shown in Figure 4. The returned data does not include a method identifier, and when parsed according to the structure shown in Figure 3, only the payload can be extracted. This allows the original data to be completely restored. **Figure 4. Payload delivered in the response** In the example, the Sepolia testnet was used to implement the Etherhide technique. The RPC parameters required when calling the ‘eth_call’ method were configured in JSON format and then sent to the Sepolia RPC endpoint in the POST body. Figure 5 shows a part of the code used in the call process, allowing you to directly check the actual implementation method. **Figure 5. Example code of payload invocation** This method can be used to download payloads not only in web browsers but also in executable files (binaries) and scripts. In the case of downloaders that retrieve additional payloads from the Internet, the Etherhide technique can be used instead of the conventional method. This allows threat actors to download payloads without breaching websites, creating domains, or exposing C&C servers. Furthermore, the nature of blockchain makes it difficult to block and allows for continuous access, which is advantageous for threat actors. **Real Cases of Using the Etherhide Technique** **ClearFake** The ClearFake campaign being distributed from July 2023 prompts users to download and run malware disguised as a Chrome browser update. Initially, users were redirected to a separate C&C server before the malware was downloaded, but recently, threat actors have been using a social engineering technique that prompts users to execute Powershell commands directly using the clipboard. During this process, threat actors are utilizing the Etherhide technique to use the blockchain network as a C&C infrastructure for redirection and payload transmission. For more information, refer to “EtherHiding and ClickFix: new mask of social engineering campaign” by Marek Szustak. Furthermore, the command execution prompt using the clipboard has been covered in the ASEC Blog. **Smargaft** The name Smargaft is a combination of Smart Contract and Gafgyt botnet, and it is a botnet that utilizes the Etherhide technique. Smargaft sends requests to the Binance Smart Chain (BSC) RPC server and retrieves the botnet C&C server IP address, which is used as the payload. The threat actor can easily update the contract payload information when the botnet C&C server address is changed. For more information, please refer to the post by XLAB, “Smargaft Harnesses EtherHiding for Stealthy C2 Hosting” published in February 2024. **Conclusion** The Etherhide technique is gaining attention as the next-generation Bulletproof Hosting, and it is expected that there will be an increase in cases where threat actors abuse this technique. The high level of anonymity, persistence, no cost burden, and the fact that it does not require server infrastructure are sufficient reasons for threat actors to utilize blockchain as their malware infrastructure. From a defender’s perspective, it may be difficult to detect or block the Etherhide technique using conventional methods. However, since the Etherhide technique is ultimately used to retrieve payloads, users can prevent attacks by not executing suspicious files or commands in the early stages of an attack. Gain access to related IOCs and detailed analysis by subscribing to **AhnLab TIP**. For subscription details, click the banner below. #### Tags: BlockChain C2 ClearFake Ethereum Etherhide 블록체인 이더리움 Smargaft

Etherhide Technique Using Blockchain as C&C Infrastructure OverviewThreat actors have been ut...

https://asec.ahnlab.com/en/88009/

#Public #Trend #BlockChain #C2 #ClearFake #Ethereum #Etherhide #블록체인 #이더리움 #Smargaft

Result Details

ClearFake Malicious Framework Updates Tactics with Binance Smart Chain Obfuscation - RH-ISAC Sekoia researchers have released updates on ClearFake, a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by

🛡️ New blog: #ClearFake evolves with new tactics - #Blockchain obfuscation, fake reCAPTCHAs & more.

Learn how it works, its impact on #Retail & #Hospitality, and how to defend against it.

🔗 rhisac.org/threat-intel...

#CyberSecurity

Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.

ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.

⬇️

bsky.app/profile/seko...

ClearFake reCAPTCHA scam infects 9,300 websites The ClearFake campaign has infected at least 9,30...

dataconomy.com/2025/03/20/clearfake-rec...

#Cybersecurity #News #ClearFake #reCAPTCHA

Event Attributes

ClearFake Infects 9300 Sites Uses Fake reCAPTCHA and Turnstile to Spread Info-Stealers can infect Windows and macOS systems read more about ClearFake Infects 9300 Sites Uses Fake reCAPTCHA and Turnstile to Spread Info-Stealers

ClearFake Infects 9,300 Sites, Uses Fake reCAPTCHA and Turnstile to Spread Info-Stealers reconbee.com/clearfake-in...

#clearfake #reCAPTCHA #infostealers #turnstile
#cyberattacks

ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.

TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.

buff.ly/vbiVbsN

#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.

cc @plebourhis.bsky.social @sekoia.io

1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding

2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic

⬇️

The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:

#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

2025-02-05 (Wednesday): #ClearFake / #ClickFix style fake CAPTCHA leads to possible #Vidar.

Vidar C2 using eteherealpath[.]top behind Cloudflare.

Details at github.com/malware-traf...

#ClearFake / #ClickFix is back infecting directly legit but vulnerable websites, delivering in the end #Lumma / #LummaStealer

New Swiss centered malware campaign in German using some #ClearFake / #ClickFix tricks impersonating Ricardo, one of the biggest Swiss online second-hand marketplace:

From Clipboard to Compromise: A PowerShell Self-Pwn | Proofpoint AU Key findings  Proofpoint researchers identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware. Researchers observed TA571 and the Clea...

Finally we also witnessed in the wild one of those #ClearFake / #ClickFix bait delivered per email as reported by Proofpoint in June - ending with a #brutel / #Latrodectus / #BruteRatel
payload www.proofpoint.com/au/blog/thre...

After mucking around a bit finally got a working Dropbox URL and file for the #Clearfake distributed #AtomicStealer fake Chrome sample urlscan.io/result/376ad... tria.ge/240806-sahwj... and now it's a different IP 45.134.26[.]7 for the c2

What is old is new again, #atomicstealer being distributed via #clearfake campaign. Haven't seen that in a while!

Clearfake domain: cejecuu4[.]xyz
C2: 193.124.185[.]23

Payload staged in Dropbox

#macosmalware #infostealers #amos #fakebrowserupdates #fakechrome

#ClearFake related contract 0xa6165aa33ac710ad5dcd4f4d6379466825476fde was updated recently and points now to daslkjfhi2[.]lol, displaying a new type of lure to visitors:

#ClearFake updated the TDS in contract 0x34585777843Abb908a1C5FbD6F3f620bC56874AA 3 times today:
v7yen47u2e[.]xyz
cv2b8uz46e[.]xyz
b9y3b7ner2[.]xyz (currently used)

The last round of updates on this contract was on May 30th - also with 3 different domains.

#clearfake changed the contract used to deliver the TDS URL: bscscan.com/address/0x10...

Fake browser updates host malicious files on decentralized blockchain, evading takedowns. An evolution of the #ClearFake scam, now leveraging #BinanceSmartChain, uncovers a dangerous blend of #cybersecurity threats and #blockchain tech: krebsonsecurity.com/2023/10/the-... #InfoSec