Cybercriminals behind the ClearFake malware campaign are stepping up their game, using fake reCAPTCHA and Cloudflare Turnstile prompts to trick users into downloading data-stealing malware like Lumma Stealer and Vidar Stealer.
First spotted in mid-2023, ClearFake is known for infecting compromised WordPress websites and using fake browser update alerts as bait. But the operation has evolved rapidly, making use of Web3 technologies and sophisticated social engineering tactics to spread malware across both Windows and macOS systems.
Recent research from cybersecurity firm Sekoia reveals that ClearFake now leverages Binance Smart Chain (BSC) contracts to deliver malicious JavaScript and additional resources. This method, known as EtherHiding, hides payloads inside blockchain transactions, making the campaign harder to detect and take down.
By early 2025, attackers introduced “ClickFix”, a new ploy that tricks users into running malicious PowerShell commands disguised as fixes for fake technical issues. Once executed, this leads to the deployment of Emmental Loader (aka PEAKLIGHT), which eventually drops the Lumma Stealer malware.
The attack flow starts when a victim lands on an infected website. JavaScript fetched from BSC fingerprints the system and downloads encrypted lure content — often posing as fake reCAPTCHA verifications — hosted on Cloudflare Pages.
If a user follows the prompts and runs the PowerShell script, it unlocks the next malware stage.
ClearFake’s aggressive expansion is staggering. By early 2025, researchers had detected more than 9,300 websites compromised and serving ClearFake lures.
In just one month (July 2024), an estimated 200,000 unique users were exposed to the campaign — many of them enticed by fake browser alerts or reCAPTCHA-like challenges urging them to download updates.
The group’s technical sophistication shows in their daily framework updates and use of multiple data points stored directly on Binance Smart Chain — from JavaScript snippets and AES keys to the exact URLs hosting the lures and PowerShell payloads.
The latest wave of infections even reached over 100 auto dealership websites, where the ClickFix lure was used to deploy SectopRAT malware. But rather than compromising the dealerships directly, attackers targeted a third-party video service, LES Automotive (idostream[.]com), embedding malicious JavaScript into their content.
This supply chain attack highlights how even indirect web services can become a launchpad for widespread malware campaigns. LES Automotive has since removed the infected script.
Alongside ClearFake, researchers also tracked multiple phishing campaigns pushing other Remote Access Trojans (RATs):
- Venom RAT delivered through VHD files inside email archives, executed via Windows batch scripts.
- AsyncRAT and Remcos RAT dropped through Excel attachments exploiting CVE-2017-0199 — using VBScript to pull additional payloads hidden in images.
- Microsoft 365 tenant takeovers, where attackers create admin accounts and deliver phishing emails designed to bypass security layers and harvest user credentials.
As social engineering techniques evolve, Browser-in-the-Middle (BitM) attacks are becoming a favored method among cybercriminals. In these attacks, victims unknowingly interact with real websites routed through attacker-controlled browsers — making it nearly impossible to spot the difference.
Mandiant, a Google-owned cybersecurity firm, warned:
“BitM allows adversaries to rapidly target any website, bypass MFA protections, and steal active sessions within seconds. For victims, distinguishing between legitimate and fake sites becomes incredibly difficult.”
How to Stay Protected from ClearFake Malware
With ClearFake expanding globally and attackers exploiting Web3 technologies, businesses must ramp up defenses:
- Regularly monitor websites for unusual JavaScript injections
- Educate employees about social engineering tactics like ClickFix
- Strengthen PowerShell restrictions on endpoints
- Use anti-phishing tools and zero-trust frameworks
- Regularly audit third-party services for supply chain vulnerabilities
As the ClearFake campaign shows, malware delivery methods are getting smarter and harder to detect. Staying proactive is now more critical than ever.
