The ClearFake campaign has evolved to use fake reCAPTCHA and Cloudflare Turnstile verifications as lures to trick users into downloading malware. The threat actors behind the campaign are using fake web browser update baits on compromised WordPress sites as a malware distribution vector.
ClearFake, first highlighted in July 2023, uses EtherHiding to fetch next-stage payload by utilizing Binance’s Smart Chain (BSC) contracts. The latest iteration of the ClearFake framework marks an evolution, adopting Web3 capabilities to resist analysis and encrypting the ClickFix-related HTML code.
When a victim visits a compromised site, it leads to the retrieval of an intermediate JavaScript code from BSC. The loaded JavaScript fingerprints the system and fetches the encrypted ClickFix code hosted on Cloudflare Pages. Executing malicious PowerShell commands leads to the deployment of Emmenhtal Loader (aka PEAKLIGHT) that subsequently drops Lumma Stealer.
At least 9,300 websites have been infected with ClearFake, and it is considered widespread and affects many users worldwide. The threat remains active as operators update the framework code and lures daily.
This development comes as auto dealership sites have been discovered compromised with ClickFix lures that lead to the deployment of SectopRAT malware. Security researchers are warning organizations and businesses about Adversary-in-the-Middle (AitM) and Browser-in-the-Middle (BitM) techniques, which allow attackers to hijack accounts.
Source: https://thehackernews.com/2025/03/clearfake-infects-9300-sites-uses-fake.html