Full Report
The threat actors behind the ClearFake campaign are using fake reCAPTCHA or Cloudflare Turnstile verifications as lures to trick users into downloading malware such as Lumma Stealer and Vidar Stealer. ClearFake, first highlighted in July 2023, is the name given to a threat activity cluster that employs fake web browser update baits on compromised WordPress as a malware distribution vector. The
Analysis Summary
# Tool/Technique: ClearFake Campaign Hosting Infrastructure
## Overview
ClearFake is a long-running threat activity cluster that uses compromised websites, particularly WordPress sites, to host lures (fake CAPTCHA/Turnstile verification pages) designed to trick users into downloading information-stealing malware like Lumma Stealer and Vidar Stealer. A key evolution involves leveraging Binance Smart Chain (BSC) contracts to host critical components of the multi-stage attack, enhancing resilience and aiding in fingerprinting and payload decryption.
## Technical Details
- Type: Campaign / Delivery Framework
- Platform: Windows, macOS (for final payloads)
- Capabilities: Web-based malware distribution, multi-stage obfuscation, Web3 integration for payload hosting/delivery, system fingerprinting.
- First Seen: July 2023 (as initially highlighted)
## MITRE ATT&CK Mapping
*Note: Since ClearFake is a campaign that utilizes multiple techniques, the mappings below focus on the discovery/delivery aspects described.*
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Use of BSC for payload retrieval)
## Functionality
### Core Capabilities
* **Malware Distribution Vector:** Uses compromised websites (WordPress) to display fake browser security/verification prompts (reCAPTCHA, Cloudflare Turnstile).
* **Lure Deployment:** Employs social engineering techniques like 'ClickFix' to deceive users into executing malicious PowerShell commands disguised as fixes for non-existent issues.
* **Payload Delivery:** Delivers information-stealing malware, primarily Lumma Stealer and Vidar Stealer, often via droppers like Emmenhtal Loader (PEAKLIGHT).
### Advanced Features
* **EtherHiding/Web3 Integration:** Utilizes Binance Smart Chain (BSC) contracts to host and retrieve vital data, including JavaScript code, AES keys, lure HTML file URLs, and PowerShell commands, increasing resiliency against takedowns.
* **System Fingerprinting:** Loaded JavaScript code interacts with BSC to fingerprint the victim's system before proceeding with payload delivery.
* **Obfuscation and Encryption:** The ClickFix-related HTML code and payloads are encrypted to resist static analysis.
* **Supply Chain Targeting:** Demonstrated by compromising third-party services (e.g., video services like idostream[.]com) used by target organizations (e.g., auto dealerships).
* **Daily Updates:** The operator frequently updates the framework code, lures, and distributed payloads.
## Indicators of Compromise
*Indicators are generic as the article focuses on the framework, not specific instances, and no specific hashes/IOCs are provided beyond the underlying malware.*
- File Hashes: [Not provided in context]
- File Names: [Implied malicious PowerShell scripts, Stealer binaries (Lumma, Vidar)]
- Registry Keys: [Not provided in context]
- Network Indicators: [URLs hosting lures/encrypted code hosted on Cloudflare Pages; Interactions with Binance Smart Chain (BSC) contracts]
- Behavioral Indicators: Execution of malicious PowerShell initiated from obscured web content; System fingerprinting activities; Communications related to BSC contract interaction.
## Associated Threat Actors
* The threat actors behind the **ClearFake** campaign, first highlighted in July 2023.
## Detection Methods
- Signature-based detection: Signatures for Lumma Stealer and Vidar Stealer payloads.
- Behavioral detection: Detection of PowerShell execution triggered by web-based social engineering lures (especially those disguising system fixes). Monitoring for unauthorized connection attempts or data retrieval from known BSC contract addresses.
- YARA rules: [Not provided in context]
## Mitigation Strategies
- Implementing robust web application firewalls (WAFs) to monitor traffic on compromised sites.
- Educating users specifically on identifying sophisticated lures like fake CAPTCHA/Turnstile checks and 'ClickFix' prompts.
- Disabling or restricting the execution of PowerShell scripts or macros downloaded from untrusted web sources.
- Organizations should review their exposure via third-party supply chain components (e.g., embedded scripts on vendor sites).
## Related Tools/Techniques
* **Malware Dropped:** Lumma Stealer, Vidar Stealer, Emmenhtal Loader (PEAKLIGHT), SectopRAT (observed in alternative ClickFix incidents).
* **Techniques:** EtherHiding, ClickFix (social engineering ploy).
* **Web3 Exploitation:** Use of BSC for C2/payload delivery infrastructure.
***
# Tool/Technique: Lumma Stealer
## Overview
Lumma Stealer is an information-stealing malware deployed as the final payload in some ClearFake attack chains, often delivered via Emmenhtal Loader. It is designed to harvest sensitive data from compromised systems.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows, macOS (as stated for the general ClearFake targets)
- Capabilities: Information theft, credential harvesting.
- First Seen: [Not specified beyond association with ClearFake post-July 2023]
## MITRE ATT&CK Mapping
*Note: Mappings reflect general Stealer capabilities.*
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Stealing user credentials and sensitive information from targeted systems.
### Advanced Features
- Delivered through advanced multi-stage infection chains orchestrated by ClearFake framework variants.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Associated with Lumma Stealer binaries]
- Registry Keys: [Not provided in context]
- Network Indicators: [Not provided in context, assumed C2 for exfiltration]
- Behavioral Indicators: Attempting to access areas where browser or application credentials are stored.
## Associated Threat Actors
- Threat actors associated with the **ClearFake** campaign.
## Detection Methods
- Signature-based detection: Signatures for Lumma Stealer binaries.
- Behavioral detection: Monitoring for suspicious outbound network traffic characteristic of information stealers.
- YARA rules: [Not provided in context]
## Mitigation Strategies
- Robust Endpoint Detection and Response (EDR) solutions.
- Strong application allow-listing policies.
- User training against social engineering prompts leading to script execution.
## Related Tools/Techniques
- Vidar Stealer (alternate payload).
- Emmenhtal Loader (PEAKLIGHT) (preceding loader).
***
# Tool/Technique: Vidar Stealer
## Overview
Vidar Stealer is an information-stealing malware observed being deployed via an alternate ClearFake attack chain observed in late January 2025.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: [Not specified, typically Windows]
- Capabilities: Information theft, credential harvesting.
- First Seen: Mentioned in relation to a January 2025 ClearFake variant.
## MITRE ATT&CK Mapping
*Note: Mappings reflect general Stealer capabilities.*
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Stealing user credentials and sensitive information.
### Advanced Features
- Deployed via PowerShell loader resulting from ClearFake execution.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Associated with Vidar Stealer binaries]
- Registry Keys: [Not provided in context]
- Network Indicators: [Not provided in context, assumed C2 for exfiltration]
- Behavioral Indicators: Attempting to access credential stores.
## Associated Threat Actors
- Threat actors associated with the **ClearFake** campaign.
## Detection Methods
- Signature-based detection: Signatures for Vidar Stealer binaries.
- Behavioral detection: Monitoring for suspicious outbound network traffic.
- YARA rules: [Not provided in context]
## Mitigation Strategies
- Robust Endpoint Detection and Response (EDR) solutions.
- User training against social engineering prompts leading to script execution.
## Related Tools/Techniques
- Lumma Stealer (alternate payload).
- ClearFake framework.
***
# Tool/Technique: ClickFix Lure
## Overview
ClickFix is a social engineering ploy used extensively by the ClearFake campaign. It involves deceiving victims, often through web prompts on compromised sites, into running malicious PowerShell code under the pretense of fixing a technical issue (e.g., CAPTCHA failure, browser date issues).
## Technical Details
- Type: Technique / Social Engineering Lure
- Platform: Primarily affects desktop users interacting with web browsers.
- Capabilities: Deceiving users into executing initial malicious commands (PowerShell).
- First Seen: Mentioned in reference to newer ClearFake variants (as of May 2024 analysis).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Metaphorically, the malicious script is the payload)
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
## Functionality
### Core Capabilities
- Tricking a user into believing a displayed technical prompt is legitimate.
- Prompting the execution of malicious PowerShell commands (e.g., those downloaded via BSC/Cloudflare) to initiate the malware chain.
### Advanced Features
- The specific PowerShell commands used in the ClickFix lure are often retrieved dynamically via BSC integration, making static detection of the initial command difficult.
- Used to deploy malware as diverse as Lumma Stealer, Vidar Stealer, and SectopRAT (in related incidents).
## Indicators of Compromise
- Behavioral Indicators: User interaction leading to immediate, unsolicited PowerShell execution initiated contextually from a suspicious website visit.
## Associated Threat Actors
- Threat actors behind the **ClearFake** campaign.
- Threat actors utilizing the **ClickFix** tactic against other targets (e.g., auto dealerships, deploying SectopRAT).
## Detection Methods
- Behavioral detection: Monitoring for JavaScript injecting prompts that demand immediate execution of system commands or scripts.
- Network monitoring: Detecting retrieval of obfuscated payloads from BSC/Cloudflare Pages following prompt engagement.
## Mitigation Strategies
- Implementing application control to restrict which users or processes can initiate PowerShell execution.
- Enforcing robust browser security settings and prompt handling.
## Related Tools/Techniques
- ReCAPTCHA/Cloudflare Turnstile Lures (The visual disguise).
- EtherHiding (The mechanism used to fetch the ClickFix payload).
***
# Tool/Technique: Other Phishing/Delivery Techniques Mentioned
## Overview
The article briefly mentions several parallel or related phishing/delivery techniques observed in the threat landscape, underscoring the sophistication of current social engineering trends against IT infrastructure and user endpoints.
## Technical Details
- Type: Various (Delivery/Execution Techniques)
- Platform: Primarily Windows/Email Clients
- Capabilities: Archive file exploitation, macro exploitation, cloud security misuse.
## MITRE ATT&CK Mapping
* **VHD Delivery (Venom RAT):** T1566.001 (Phishing Attachment), T1204.002 (User Execution: Malicious File)
* **Excel Exploit (CVE-2017-0149 / AsyncRAT/Remcos RAT):** T1566.001, T1204.002, T1190 (Exploit Public-Facing Application - in context of VBS execution)
* **M365 Misconfiguration:** T1078.004 (Valid Accounts: Cloud Accounts), T1556.001 (Credential Dumping: Credentials in Files)
## Functionality
- **Venom RAT:** Uses Virtual Hard Disk (VHD) files embedded in email archives to deliver malware via a Windows batch script.
- **CVE-2017-0149 Exploit:** Uses old Excel flaws to download HTA, which uses VBS to pull a payload hidden in an image file, decoding and launching AsyncRAT/Remcos RAT.
- **M365 Misconfiguration Exploitation:** Targets cloud security flaws to facilitate ATO and bypass email security.
## Related Tools/Techniques
* Venom RAT, AsyncRAT, Remcos RAT, SectopRAT (mentioned in secondary context).
* Invasive techniques like Adversary-in-the-Middle (AitM) and Browser-in-the-Middle (BitM) frameworks mentioned as highly effective for stealing MFA-protected sessions.