ClearFake Uses BSC Smart Contracts and ClickFix Lures to Deliver Info-Stealers
Researchers reported that the long-running ClearFake/EtherHiding campaign is using compromised legitimate websites, fake Google reCAPTCHA pages, and ClickFix social-engineering lures to deliver malware through BNB Smart Chain testnet smart contracts rather than conventional staging servers. Analysis from Trend Micro and Censys found the attackers embedded obfuscated JavaScript and ethers.js on hacked sites, performed browser and OS checks, and retrieved victim-specific payload logic from on-chain contracts tied to a single deployer wallet. The infrastructure included contracts for anti-analysis dispatching, separate Windows and macOS delivery, and victim tracking, making traditional takedowns and URL blocking far less effective.
The campaign delivered SectopRAT and ACRStealer to steal passwords, cookies, browser sessions, credit card data, and cryptocurrency wallet information, while macOS infections also used dynamic resolver techniques through external web services to locate command-and-control endpoints and collect host data. A related stealer campaign described by Gurucul used software-search redirection, fake MEGA Transfer pages, a Go-based loader, and an Ethereum dead-drop resolver to obtain command-and-control infrastructure, underscoring a broader shift toward blockchain-backed malware delivery and resilient C2. Defenders were advised to monitor for unexpected ethers.js usage, fake CAPTCHA assets, clipboard-driven execution prompts, and access to BSC testnet JSON-RPC services, while training users to avoid fraudulent CAPTCHA and ClickFix prompts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Trend Micro analyzes ClearFake use of BSC testnet smart contracts
In May 2026, Trend Micro analyzed a ClearFake campaign that used four BNB Smart Chain testnet smart contracts tied to one deployer wallet for anti-analysis logic, Windows and macOS payload delivery, and on-chain victim tracking. The campaign delivered SectopRAT and ACRStealer and made traditional takedowns and URL blocking less effective.
EtherHiding campaign remains active for nearly a year
Trend Micro reported that the ClearFake malware campaign using EtherHiding and BNB Smart Chain testnet smart contracts had been active for nearly a year before its May 2026 analysis. The campaign compromised legitimate websites and used fake CAPTCHA and ClickFix lures to deliver malware.
Gurucul reports RemusStealer delivery via software search redirection
On May 28, 2026, Gurucul reported a campaign redirecting users searching for open-source C++ IDE software from legitimate sites to fake MEGA Transfer pages that delivered RemusStealer. The activity used CloudFront-hosted JavaScript for fingerprinting and routing and an Ethereum-based dead drop resolver for command-and-control discovery.
Censys documents blockchain-backed EtherHiding attack chain
On November 21, 2025, Censys published analysis of an EtherHiding attack chain that used Binance Smart Chain testnet smart contracts, compromised websites, fake CAPTCHA prompts, and Click-Fix lures to deliver OS-specific malware stages. The report also described macOS-specific credential theft and dynamic C2 resolution through Telegram and Steam pages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
ClearFake Uses BSC Testnet Smart Contracts for Takedown-Resistant Command and Control
cybersecuritynews.com
Open sourceRemus Stealer Delivered Via Software Search Redirection | Community Portal | Gurucul
community.gurucul.com
Open sourceEtherHiding: Fake CAPTCHAs, Click-Fix Lures, and Blockchain-Backed Payload Delivery - Censys
censys.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake CAPTCHA and ClickFix Social Engineering Used to Deliver Stealer Malware
A wave of **social-engineering-driven malware delivery** is abusing “verification” and “fix” workflows to trick users into running attacker-supplied commands that install information stealers. LevelBlue reported a campaign using **fake Cloudflare-style CAPTCHA pages** on compromised websites to convince Windows users to manually execute malicious **PowerShell** commands, resulting in **StealC** deployment; StealC is described as exfiltrating browser credentials, crypto wallet data, Steam and Outlook credentials, system information, and screenshots over **RC4-encrypted HTTP** to a C2 server. Intego also identified an evolved **ClickFix** technique on macOS (“**Matryoshka**”) that leverages **typosquatting** to redirect users to pages instructing them to paste “fix” commands into Terminal; the loader then retrieves an AppleScript payload to steal browser credentials and target wallet apps (e.g., *Trezor Suite*, *Ledger Live*), including repeated fake password prompts as a fallback. Separately, other credential-theft campaigns are also leaning heavily on lures that exploit user trust and routine workflows. Morphisec described **Noodlophile** evolving from fake AI video platform ads to **fake job postings** and phishing “assessments,” delivering multi-stage stealers/RATs via techniques including **DLL sideloading**, while continuing to use **Telegram bots** for exfiltration/C2 and adding file-bloating content intended to disrupt automated analysis. These developments reinforce that user-in-the-loop execution (copy/paste commands, “verification” steps, and recruitment-themed forms) remains a high-yield initial access vector for stealers across both Windows and macOS environments.
Mar 21, 2026
ClickFix Campaigns Deliver Modular RATs, Banking Trojans, and macOS Stealers
Researchers reported multiple **ClickFix** campaigns using fake CAPTCHA or reCAPTCHA prompts to trick users into manually running malicious commands, with payloads tailored by platform and victim profile. On Windows, one campaign delivered a modular NodeJS-based RAT and infostealer through a malicious MSI installer, loading key capabilities only in memory after command-and-control was established and using `gRPC` over Tor for persistent communications. An operational security failure exposed the malware’s backend protocol definitions and admin panel API, revealing a malware-as-a-service operation with multi-operator support, Telegram alerts, automation rules, and cryptocurrency wallet tracking. The malware also fingerprinted victims extensively and established persistence through the Windows Run registry key as **LogicOptimizer**. A separate ClickFix chain attributed with high confidence to **Grandoreiro** targeted users of eight Brazilian banks by luring victims through a fake reCAPTCHA page and launching a malicious PowerShell sequence that sideloaded a Delphi banking trojan with legitimate GoToMeeting and Nero binaries. The malware deployed banking overlays, intercepted **PIX** QR-code payments, added Microsoft Defender exclusions, and stole credentials, device information, signatures, and payment confirmation codes. Netskope also documented a macOS variant that used AppleScript and a persistent fake password dialog to harvest Keychain data, browser cookies, saved credentials, extension storage, and cryptocurrency wallet data; the theft of live session cookies can enable attackers to bypass MFA by hijacking authenticated sessions.
May 1, 2026
ClickFix Social-Engineering Technique Used to Trick Users Into Running Malware
Multiple reports highlighted **ClickFix**, a social-engineering technique that uses fake verification or update prompts to coerce users into manually executing attacker-supplied commands, as a recurring initial access method in recent malware activity. In the **OCRFix** botnet campaign, victims were lured to a typosquatted site impersonating *Tesseract OCR* (`tesseract-ocr[.]com` lookalike) via SEO poisoning and reported **LLM poisoning** (chatbot recommendations pointing users to the malicious site). The site presented a fake CAPTCHA that copied an obfuscated PowerShell command to the clipboard and instructed the user to paste it into PowerShell; this led to retrieval of a malicious MSI (`98166e51.msi`) from `opsecdefcloud[.]com`, after which victims were redirected to the legitimate GitHub project to reduce suspicion. The loader then queried a **BNB TestNet** smart contract to obtain C2 details, using **EtherHiding** (blockchain-hosted instructions) to make takedown and disruption more difficult. A separate investigation described a **Chrome extension supply-chain compromise** of *QuickLens – Search Screen with Google Lens* (7,000+ users), where attackers acquired the extension and shipped an update embedding malicious scripts and elevated permissions to enable credential/crypto theft and staged payload delivery; the campaign also incorporated a **ClickFix** flow that masqueraded as a legitimate browser update to trick users into executing malicious code. Other items in the set covered different topics: an AiTM phishing-kit attribution case study (focused on reverse-proxy phishing infrastructure rather than ClickFix), research on **Funnull/Fangneng CDN** as cybercrime-enabling infrastructure and related supply-chain activity, and Zscaler reporting on **Dust Specter APT** targeting Iraqi government officials with password-protected RAR delivery and custom malware modules—none of which were primarily about ClickFix.
Mar 21, 2026