#clearfake — Public Fediverse posts

.ru serious? 🇷🇺 ccTLD .ru had an unbelievable +3741% ⏫ in #botnet C&C domains, placing it #1 for the most abused ccTLD in the latter half of 2025. This activity can be attributed almost entirely to #clearfake, a malicious JavaScript framework.

Learn more in the Botnet Threat Update Jul - Dec 2025 ⤵️ ⤵️
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/

#ccTLD #BotnetCC #ThreatIntel

TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.

https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/

While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : https://testnet.bscscan.com/address/0x0967296defa0fd586c9ede5730380e2b059fab95

The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:

While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : https://testnet.bscscan.com/address/0x0967296defa0fd586c9ede5730380e2b059fab95

The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:

While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : https://testnet.bscscan.com/address/0x0967296defa0fd586c9ede5730380e2b059fab95

The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:

While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : https://testnet.bscscan.com/address/0x0967296defa0fd586c9ede5730380e2b059fab95

The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:

While investigating an infected website, we noticed call to BSC testnet contract 0x0967296defa0fd586c9ede5730380e2b059fab95 : https://testnet.bscscan.com/address/0x0967296defa0fd586c9ede5730380e2b059fab95

The contract’s content is clearly malicious and connects over WebSocket to suckerity[.]xyz (behind Cloudflare), not related to #ClearFake, but reminds us #Magecart related injections:

#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

#etherhiding (hiding malicious code in blockchain based smart contracts) is not only by #ClearFake related actors – but now also for #Magecart 👇

Вредоносный код навсегда сохранили в блокчейне

Один из старых хакерских трюков — распространять вредоносное ПО под видом обновления браузера . На взломанном сайте размещается плашка с утверждением, что для просмотра нужно обновить браузер. И кнопка для скачивания обновления, как на скриншоте с прошлогодней атаки ClearFake . Таким образом, жертва самостоятельно устанавливает вредоносное ПО на свой компьютер. В прошлом году злоумышленники разработали умный способ защитить вредоносный софт от уничтожения. Они разместили его в децентрализованном анонимном блокчейне . То есть интегрировали код в смарт-контракт, который навечно сохранился в открытом доступе.

https://habr.com/ru/companies/globalsign/articles/878822/

#блокчейн #обновление_браузера #BSC #Binance_Smart_Chain #Binance #BNB #WordPress #ClearFake #BscScan #EtherHiding

Finally we also witnessed in the wild one of those #ClearFake / #ClickFix bait delivered per email as reported by Proofpoint in June - ending with a #brutel / #Latrodectus / #BruteRatel
payload https://www.proofpoint.com/au/blog/threat-insight/clipboard-compromise-powershell-self-pwn

Finally we also witnessed in the wild one of those #ClearFake / #ClickFix bait delivered per email as reported by Proofpoint in June - ending with a #brutel / #Latrodectus / #BruteRatel
payload https://www.proofpoint.com/au/blog/threat-insight/clipboard-compromise-powershell-self-pwn

Cybersecurity Experts Warn of Rising Malware Threats from Sophisticated Social Engineering Tactics https://thecyberexpress.com/ta571-and-clearfake-campaigns/ #TheCyberExpressNews #CybersecurityNews #ClearFakecampaign #PowerShellscripts #TheCyberExpress #FirewallDaily #EtherHiding #ClearFake #TA571

@rmceoin #etherhiding is the new blockchain-powered version of #clearfake
https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16