ClearFake Uses BSC Testnet Contracts for Takedown-
The ClearFake malware campaign has adopted a sophisticated new tactic, utilizing blockchain smart contracts for its command and control (C2) infrastructure. This innovative method renders the...
The ClearFake malware campaign has adopted a sophisticated new tactic, utilizing blockchain smart contracts for its command and control (C2) infrastructure. This innovative method renders the campaign remarkably resistant, making its operations nearly impossible for security teams to shut down.
Table Of Content
Instead of relying on traditional servers that can be taken offline, the attackers hid their command-and-control infrastructure inside the BNB Smart Chain testnet, a decentralized network that no authority can seize or suspend.
ClearFake spreads by compromising legitimate websites and injecting hidden JavaScript code into their pages. Victims do not need to do anything suspicious to get infected.
Simply visiting a tampered legitimate site can trigger the malware’s multi-stage delivery chain. In one confirmed case, an employee was browsing a recreational website in Switzerland when their machine was silently taken over through a fully automated attack sequence.
Researchers at Trend Micro analyzed this intrusion in May 2026 and uncovered the full depth of the campaign.
Trend Micro said in a report shared with Cyber Security News (CSN) that threat actors used a technique called EtherHiding to store payload routing instructions inside blockchain smart contracts, bypassing all URL-based blocking methods entirely.
The attack chain delivered two dangerous tools simultaneously: SectopRAT, a .NET-based Remote Access Trojan capable of hijacking browser sessions, and ACRStealer, a C++ infostealer that harvests passwords, credit card numbers, cookies, and cryptocurrency wallet data.
Victims on Windows and macOS were routed to separate payloads tailored to their operating system, with routing handled by real-time OS detection in the browser.
What makes this campaign especially alarming is its confirmed longevity. Four smart contracts were identified, all sharing a single deployer wallet, with the oldest contract deployed nearly a year before the analysis was conducted.
This is not a one-off experiment. This is a long-running, fully operational campaign built to survive any takedown attempt by any authority or security vendor.
ClearFake Uses BSC Testnet Smart Contracts
The EtherHiding technique works by storing malicious JavaScript directly inside a smart contract on the BNB Smart Chain testnet rather than on any traditional web host.
When a victim visits a compromised site, injected code quietly queries the blockchain and retrieves the full payload into the browser with no external URL involved.
Since blockchain data is replicated across thousands of nodes simultaneously, there is no server to take down, no domain to seize, and no IP address to block.
ClearFake refined this technique by storing the complete JavaScript on-chain rather than just a routing URL.
Four contracts served distinct roles: Smart Contract A delivered the anti-analysis dispatcher, Smart Contract B held the Windows ClickFix overlay, Smart Contract C held the macOS payload, and Smart Contract D acted as an on-chain tracker that confirmed each victim compromise in real time.
Operating on the testnet also meant the attackers paid nothing, since test BNB tokens carry no monetary value.
ClickFix Overlay and Dual Payload Delivery
Once the blockchain query succeeded, victims saw a convincing fake Google reCAPTCHA overlay complete with an “I’m not a robot” checkbox.
Clicking it triggered the ClickFix social engineering panel, which simultaneously injected a malicious command directly into the victim’s clipboard.
Windows users were instructed to open the Run dialog and paste it, loading a remote DLL into memory with no file ever written to disk. A Python-based RAT and shellcode loader were quietly installed inside a folder designed to mimic a legitimate FileZilla FTP client directory.
Security teams are advised to block outbound JSON-RPC traffic to BNB Smart Chain testnet RPC endpoints starting with bsc-testnet-rpc.publicnode.com, which removes the contract query step before any payload executes.
Disabling the Windows WebClient service on workstations that do not need WebDAV eliminates the remote DLL loader delivery mechanism. Browser management policies restricting clipboard write access can interrupt the ClickFix step before a victim runs the injected command.
End-user awareness training on fake CAPTCHA and ClickFix lures remains the first line of defense, since the entire post-infection chain here required just one deliberate action from the victim.
Figure 1: Attack Diagram (as referenced in source — Figure 1. Attack Diagram)
Figure 2: View-source of the Swiss website showing the injected ClearFake Stage 1 loader
Figure 3: The deobfuscated Stage 1 load() function, the async blockchain query that constructs an eth_call JSON-RPC request to Smart Contract A on the BSC testnet
Figure 4: Raw Stage 2 JavaScript as stored in Smart Contract A
Figure 5: The ClickFix social engineering overlay rendered in the victim’s browser
Figure 6: TrendAI Vision One execution profile showing the payload delivery path
Figure 7: TrendAI Vision One execution profile showing rundll32.exe spawning dllhost.exe and injecting remote threads into chrome.exe and msedge.exe for browser credential theft
Figure 8: TrendAI Vision One execution profile showing dllhost.exe dropping pythonw.exe (a silent Python interpreter) and helper.py (shellcode loader) to the FileZilla Data directory
Figure 9: ABI-decoded addToList() transaction on Smart Contract D, the on-chain execution confirmation written by the threat actor
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|
| Type | Indicator | Description |
|---|---|---|
| Blockchain Address | 0xAdecFB75C8C0CA2b C105 17ce5B7AF99b4c2d52c9 | Smart Contract A (Stage 1 entry-point contract, holds base64-encoded Stage 2 JS) |
| Blockchain Address | 0x4679 0e2Ac7F3CA5a7D1bf Ce3123d1 1E91D23386Fw | Smart Contract B (Windows-specific ClickFix overlay payload) |
| Blockchain Address | 0x68Dc e15C1002 a268 9E19D33A 3aE509Dd1fe b11A5 | Smart Contract C (macOS-specific payload) |
| Blockchain Address | 0xf4a325 88b50a59ab2fb a148d 4360b1A48d8b 0b32A | Smart Contract D (on-chain execution confirmation tracker) |
| Wallet Address | 0xd71f4cdC8442 0d2bd07F 507b7A4F99 8b4c2d52c9 | Shared deployer wallet for all four smart contracts |
| RPC Endpoint | bsc-testnet-rpc.publicnode[.]com | BSC testnet RPC endpoint queried by Stage 1 injected JavaScript |
| File Name | put34b.camp | Remote DLL loaded by Windows WebClient service directly into memory |
| File Name | pythonw.exe | Silent Python interpreter dropped to FileZilla Data directory |
| File Name | helper.py | Shellcode loader dropped alongside pythonw.exe |
| File Name | libvlccore.dll | Malicious proxy DLL used in VLC DLL sideloading triad (ACRStealer) |
| File Name | remote_debugging.pyd | Browser credential theft module used by SectopRAT |
| Cookie Name | cjs_id | UUID cookie set by overlay JS to track victim public IP and re-visit correlation |
| Analytics Tracker | mc.yandex[.]ru/metrika/tag.js | Yandex Metrika tracker injected by macOS payload (counter ID: 99162160) |
| Process Name | rundll32.exe | Used to load put34b.camp remote DLL via UNC path |
| Process Name | dllhost.exe | Spawned by rundll32.exe; drops Python RAT files and injects into browsers |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.