.ru serious? 🇷🇺 ccTLD .ru had an unbelievable +3741% ⏫ in #botnet C&C domains, placing it #1 for the most abused ccTLD in the latter half of 2025. This activity can be attributed almost entirely to #clearfake, a malicious JavaScript framework.

Learn more in the Botnet Threat Update Jul - Dec 2025 ⤵️ ⤵️
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/

#ccTLD #BotnetCC #ThreatIntel

🚨 ClearFake Payload Delivery Domain Identified

A domain linked to ClearFake activity has been flagged delivering a js.clearfake payload with 100% confidence.

Quick Facts:

▪️Type: Domain
▪️Indicator: x5ust[.]windshift[.]ru
▪️Threat Type: Payload Delivery
▪️Malware: js.clearfake
▪️Date: 05 Dec 2025 // 00:17 UTC
▪️Tags: #ClearFake
▪️Reporter: threatcat_ch

URLScan:

▪️Verdict: 0
▪️Title: FASTPANEL
▪️Domain: https://urlscan.io/domain/x5ust.windshift.ru
▪️Result: https://urlscan.io/result/019aebe2-3c71-77ff-9e6d-5d225679e78a/
▪️Screenshot: https://urlscan.io/screenshots/019aebe2-3c71-77ff-9e6d-5d225679e78a.png

DNS / CT Data:

▪️A Records: 104.21.19.50, 172.67.185.61
▪️DNSlytics: https://dnslytics.com/domain/x5ust.windshift.ru

Related Intelligence:

▪️CRT: https://crt.sh/?q=x5ust.windshift.ru
▪️VirusTotal: https://www.virustotal.com/gui/domain/x5ust.windshift.ru

Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.

ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.

CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!

As usual, feedback is greatly appreciated!

https://infosec.exchange/@sekoia_io/114189330631698208

TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.

https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/

#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.

cc @sekoia_io

1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding

2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic

3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box

4. Downloading Emmenhtal from:

bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)

5. Further downloading and executing Rhadamanthys from:

bytes.microstorage.]shop/code.bin (https://virustotal.com/gui/file/a88c153e1595f9d193b3f881ec77e0d7d338ae22c9f6e67ffdf39c3609fcdbf7)

6. Communicating with C2 at:

91.240.118.]2:9769

Public analysis of the recent ClearFake variant: https://security.szustak.pl/etherhide/etherhide.html

Whenever you run something inside a Windows Run dialog box, apparently it gets saved to the registry under the RunMRU key.
This can be helpful for those of you hunting for ClickFix / ClearFake campaign activity since anything executed after the run dialog has a better chance of blending into benign activity.
Building regex patterns on the registry key values can help uncover any malicious commands with multiple arguments.

#clickfix #clearfake #threathunting
https://forensafe.com/blogs/runmrukey.html