New Clearfake Variant Leverages Fake reCAPTCHA To Trick Users Deliver Malicious PowerShell Code
ClearFake, a malicious JavaScript framework first identified in July 2023, has evolved with sophisticated new social engineering tactics. Originally designed to display fake browser update pages, the framework has undergone significant developments, incorporating more advanced deception techniques to deliver malware through compromised websites. The latest variant, discovered in December 2024, employs fake reCAPTCHA or Cloudflare […] The post New Clearfake Variant Leverages Fake reCAPTCHA To Trick Users Deliver Malicious PowerShell Code appeared first on Cyber Security News.

ClearFake, a malicious JavaScript framework first identified in July 2023, has evolved with sophisticated new social engineering tactics.
Originally designed to display fake browser update pages, the framework has undergone significant developments, incorporating more advanced deception techniques to deliver malware through compromised websites.
The latest variant, discovered in December 2024, employs fake reCAPTCHA or Cloudflare Turnstile verification challenges to trick users into executing malicious PowerShell code.
This represents a significant evolution from earlier versions that relied on fake browser updates.
Sekoia analysts discovered that this new variant continues to utilize the “EtherHiding” technique but has introduced additional interactions with the Binance Smart Chain.
The framework now deploys multiple JavaScript codes and resources that fingerprint victims’ systems before downloading, decrypting, and displaying deceptive lures.
When users visit a compromised website, they encounter an initial script that loads Web3 libraries and initiates communication with the Binance Smart Chain.
The malicious code is concealed within smart contracts, making analysis more difficult and removal nearly impossible due to the immutable nature of blockchain data.
.webp)
The infection flow begins with injected JavaScript on compromised websites, which retrieves malicious code from blockchain smart contracts, ultimately leading to the display of fake security challenges.
Attack Analysis
The attack starts with a brief JavaScript code injected into compromised websites (mostly WordPress sites), which loads legitimate dependencies like web3, pako, and crypto-js.
This initial script interacts with smart contracts at wallet addresses like 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53 to retrieve and execute additional code segments.
The malware uses compressed and base64-encoded data that must be decrypted before execution.
The ClickFix lures presented to users include either a fake Cloudflare Turnstile verification that claims to detect “unusual web traffic” or a fake reCAPTCHA challenge alongside a DNS error message.
Both lures instruct users to open the Run command (Win+R) and execute a PowerShell command that’s automatically copied to their clipboard.
.webp)
The fake reCAPTCHA asks users to select images of cars, while the fake Cloudflare Turnstile presents users with a verification challenge, both ultimately leading to social engineering attempts.
The PowerShell commands execute mshta.exe with remote scripts that deliver payloads including Emmenhtal Loader and ultimately Lumma Stealer or Vidar Stealer.
Sekoia researchers noted that the ClearFake infrastructure includes over 9,300 compromised websites, with thousands of users potentially exposed to these malicious lures every day.
The use of blockchain technology for malware delivery represents an emerging threat that makes traditional mitigation and blocking significantly more challenging.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post New Clearfake Variant Leverages Fake reCAPTCHA To Trick Users Deliver Malicious PowerShell Code appeared first on Cyber Security News.