ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery

March 18, 2025, 9:59 a.m.

Description

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads. Threat Actors compromise legitimate websites, injecting malicious JavaScript code that redirects users to convincing fake update pages for browsers like Chrome and Edge. These pages prompt users to download updates hosted on platforms such as Dropbox and OneDrive, which actually contain malware payloads. Notably, since late September, ClearFake has altered its code injection tactics, now utilizing smart contracts from the Binance Smart Chain.

External References

https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/
https://otx.alienvault.com/pulse/67d940dac8271dd8807e87b9
Tags
javascript
clearfake
blockchain
2025-03-18
browserupdate
wateringhole

Date

  • Created: March 18, 2025, 9:46 a.m.
  • Published: March 18, 2025, 9:46 a.m.
  • Modified: March 18, 2025, 9:59 a.m.

Indicators

  • https://yob.yrwebsdf.shop/3t.mp4
  • https://yob.yrwebsdf.shop/1a.m4a
  • https://tumbl.design-x.xyz/glass.mp3
  • https://start.cleaning-room-device.shop/sha589.m4a
  • https://sandbox.yunqof.shop/macan.mp3
  • https://recaptcha-verify-4h.pro/xfiles/kangarooing.vsdx
  • https://recaptcha-verify-4h.pro/xfiles/verify.mp4
  • https://recaptcha-verify-4h.pro/kangarooing.m4a
  • https://recaptcha-manual.shop/kangarooing.m4a
  • https://note1.nz7bn.pro/nnp.mp4
  • https://nbhg-v.iuksdfb-f.shop/ajax.mp3
  • https://hur.bweqlkjr.shop/m41.mp4
  • https://mnjk-jk.bsdfg-zmp-q-n.shop/1.mp4
  • https://hur.bweqlkjr.shop/1a.m4a
  • https://human-verify.shop/xfiles/verify.mp4
  • https://human-verify-4r.pro/xfiles/verify.mp4
  • https://human-verify-4r.pro/xfiles/human.cpp
  • https://dns-verify-me.pro/xfiles/train.mp4
  • https://discover-travel-agency.pro/walking.mp3
  • https://discover-travel-agency.pro/joke.m4a
  • https://discover-travel-agency.pro/1.m4a
  • https://ai.fdswgw.shop/one.mp4
  • https://ads.green-pickle-jo.shop/1.m4a
  • http://83.217.208.130/xfiles/trip.psd
  • http://83.217.208.130/xfiles/trip.mp4
  • http://83.217.208.130/xfiles/VIDA.mp4
  • http://83.217.208.130/xfiles/VIDA.mp3
  • http://83.217.208.130/xfiles/Ohio.mp4
  • http://80.64.30.238/trip.psd
  • http://80.64.30.238/evix.xll
Download all indicators here!

Attack Patterns