Ddos 
A sophisticated malware campaign is turning a standard security verification step into a trap. Security researchers at Expel have released an analysis of “ClearFake,” a malicious framework that uses fake CAPTCHA challenges to trick users into compromising their own systems. By leveraging “living off the land” tactics and the immutable nature of blockchain technology, ClearFake has evolved into a highly evasive threat.
The attack begins with a compromised website. Visitors are presented with a fake CAPTCHA prompt asking them to verify they are human. However, instead of clicking images of traffic lights, the user is given a set of peculiar instructions: press Win + R, then Ctrl + V, and finally Enter.
While this might seem like a complex verification method to the uninitiated, it is actually a social engineering lure known as ClickFix.
“The fake CAPTCHA challenges use social engineering to lure visitors into installing malware,” the report explains. When the user presses Win + R, the Windows Run dialog opens. Pressing Ctrl + V pastes a malicious PowerShell command that the website had silently copied to the clipboard.
The genius—and danger—of the latest ClearFake iteration lies in how it executes this malicious code. Rather than running a script directly, which might trigger antivirus alarms, the attackers use a technique called Proxy Execution.
They exploit a legitimate Windows system file located in C:\Windows\System32 called SyncAppvPublishingServer.vbs. Designed to synchronize App-V environments, this script has a command injection flaw.
“Recently, the campaign has adopted much more evasive tactics such as leveraging Proxy Execution to run PowerShell commands via a trusted Window feature,” the analysis notes.
By abusing this trusted system component, the attackers can launch PowerShell in “hidden mode,” making the infection process completely invisible to the user. Because the activity originates from a trusted Windows file, many security products may not immediately flag it as malicious.
Perhaps the most resilient aspect of ClearFake is its distribution method. The campaign utilizes a technique called EtherHiding to host its malicious payloads directly on the Binance Smart Chain (BSC).
“Since the blockchain is immutable, there’s no way to delete the malicious smart contract,” the report states.
The attackers use smart contracts—typically used for Web3 technologies like NFTs—to store Base64 encoded malicious JavaScript. The malware on the victim’s machine retrieves this payload by querying the smart contract via public API endpoints. This provides the threat actors with a “takedown resistant means of hosting malware,” as only the owner of the crypto wallet can modify the contract.
To further evade detection, the campaign has transitioned to using jsDelivr, a popular Content Delivery Network (CDN), to host parts of its malicious code. “This heavily limits the capabilities of security products which rely on flagging malicious domains & IP addresses,” as blocking a major CDN would disrupt countless legitimate websites.
The scale of the operation is significant. By analyzing the transaction history of the smart contracts used, researchers estimate that nearly 150,000 systems have been infected since August 2025.
As the Expel analysis concludes, “This campaign is highly sophisticated and very evasive,” combining social engineering with advanced technical exploits to bypass modern defenses.
Related Posts:
- ClickFix: The Rising Threat of Clipboard-Based Social Engineering
- ClearFake Campaign Employs Novel Social Engineering Tactic to Deliver LummaC2 Infostealer
- ClearFake Malware Variant Exploits Web3 in New Attacks
- TA571 and ClearFake Use Social Engineering to Deliver PowerShell Malware
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
