ClearFake
ClearFake is a web-inject and fake browser update activity cluster first identified in 2023. It compromises legitimate websites with malicious HTML and JavaScript and uses injected JavaScript on compromised sites to deliver malware via drive-by download techniques. Reporting describes ClearFake as a fake update actor and as a malicious JavaScript framework deployed on compromised websites. Google tracks the group as UNC5142. ClearFake is closely associated with fake browser update lures, fake CAPTCHA prompts, and malicious copy-and-paste execution techniques referred to as paste-and-run, ClickFix, and fakeCAPTCHA. Proofpoint coined the term ClickFix based on early use of the technique by ClearFake and TA571. In these campaigns, victims are tricked into copying and executing malicious commands, including PowerShell, MSHTA, or Run-dialog commands. ClearFake has also used fake certificate or browser warning overlays to induce execution. The cluster has used EtherHiding, including loading malicious scripts from Binance Smart Chain contracts, and has employed Keitaro traffic distribution infrastructure for filtering and delivery. One report states ClearFake was the original group that developed and deployed EtherHiding in the wild. Related reporting also notes abuse of trusted components such as SyncAppvPublishingServer.vbs in ClickFix-style chains. Observed payloads delivered via ClearFake infrastructure or website injects include Lumma Stealer/LummaC2, Rhadamanthys, Amatera Stealer, ACR Stealer, ArechClient2, NetSupport RAT, Emmenhtal Loader, DOILoader/HijackLoader, Amadey, XMRig, a clipboard hijacker, Vidar Stealer, and in some reporting suspected delivery of Latrodectus or NetSupport RAT over ClearFake infrastructure. Proofpoint observed Amatera Stealer distributed via ClearFake website injects in April and May 2025. ClearFake is part of the broader fake-update/web-inject ecosystem alongside clusters such as TA569/SocGholish, ZPHP, and ErrTraffic. It has been described as an early adopter of paste-and-run as an initial execution technique and remained highly prevalent in 2026 reporting. No high-confidence attribution to a specific tracked threat actor or nation state is provided in the content beyond Google’s tracking designation UNC5142.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
42 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Observables
21 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Threat cluster identified as using web inject campaigns beyond the TA569 ecosystem.
Threat cluster involved in web-inject campaigns using compromised websites and fake update style delivery.
Activity cluster that injects JavaScript into compromised websites to deliver malware, including via drive-by download techniques; also observed leveraging 'paste and run' as an initial execution technique.
Malvertising/malware distribution cluster using compromised sites and fake verification (reCAPTCHA/Turnstile) and fake browser update lures to deliver info-stealers.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.