Clearfake Turns Blockchain Into Malware Shield Arabian Post

(MENAFN- The Arabian Post) clearfix"> Cybercriminals behind the ClearFake campaign have shifted deeper into blockchain-based command infrastructure, using BNB Smart Chain testnet contracts to deliver malicious code and frustrate conventional takedown efforts.

The campaign marks an escalation in the abuse of decentralised infrastructure for malware operations. Instead of relying on domains, hosting providers or disposable servers that can be suspended, the operators are storing payload logic and routing instructions inside smart contracts on a public blockchain test network. Once written to the chain, the data is replicated across nodes and remains accessible through public remote procedure call endpoints, making removal far more difficult than with ordinary web-hosted malware.

Security analysis of the activity found that compromised websites were injected with obfuscated JavaScript that queried BNB Smart Chain testnet contracts. The retrieved data was decoded and executed in the victim's browser, allowing the attackers to progress through a multi-stage infection chain without exposing a conventional payload URL in the infected page. The technique, known as EtherHiding, has become a favoured method for threat actors seeking durable delivery infrastructure.

ClearFake has long relied on compromised websites and fake browser update or CAPTCHA-style prompts to trick users into executing malicious commands. Its newer infrastructure combines that social engineering with smart contract-based routing, creating a resilient traffic distribution mechanism. The attack chain examined by researchers delivered SectopRAT, a. NET-based remote access trojan with browser session hijacking capability, and ACRStealer, a C++ information stealer aimed at extracting sensitive data.

The use of the BNB Smart Chain testnet gives the operators a cost advantage. Testnet tokens have no market value and are available through public faucets, enabling smart contract deployment and updates without meaningful expense. The contracts can be queried through standard blockchain calls, allowing malicious scripts to blend with legitimate Web3 traffic while avoiding static indicators that defenders commonly use for blocking.

See also SharePoint flaw puts servers under pressure

Four smart contracts were identified in the chain, all linked to a single deployer wallet. The oldest had been active for nearly a year, indicating that the infrastructure was not a short-lived experiment but part of a maintained operational model. One contract acted as an early-stage dispatcher, another handled payload routing, while deeper stages supported overlay rendering and execution tracking. A separate on-chain tracker allowed the attackers to confirm compromises in real time.

The campaign's design reflects a wider shift in cybercrime. Threat actors are increasingly replacing fragile infrastructure with services and platforms that defenders cannot easily block at scale. Content delivery networks, public code repositories, cloud services and blockchain networks are being used to hide malicious activity within legitimate traffic. ClearFake's testnet abuse sits within that pattern, but the immutability of blockchain data makes the challenge more acute.

The ClearFake operation has also used ClickFix-style lures, where victims are presented with a fake verification prompt and instructed to run keyboard commands. On Windows systems, the lure may prompt users to open the Run dialogue, paste a command already placed on the clipboard, and execute it. Such tactics exploit user trust in familiar verification screens and bypass many technical controls by turning the victim into the execution mechanism.

Earlier ClearFake activity was associated with fake Chrome update pages and injected JavaScript on hacked WordPress sites. The campaign later adopted more evasive methods, including living-off-the-land execution paths and trusted web infrastructure. The blockchain stage adds another defensive complication, as blocking a public chain endpoint may disrupt legitimate developer or business activity, while removing malicious data from deployed smart contracts is usually not possible unless the contract owner changes it.

See also Outdated BIG-IP devices expose Linux networks

The threat is not confined to one actor or one payload family. Blockchain-hosted malware delivery has appeared in financially motivated campaigns as well as activity tied to state-backed operators. Information stealers remain the dominant payload because browser credentials, session cookies, cryptocurrency wallets and enterprise tokens can be monetised quickly. Remote access tools add persistence and allow attackers to move from initial compromise to broader intrusion.

For corporate defenders, the development places greater emphasis on behavioural detection rather than infrastructure takedowns. Suspicious browser-to-blockchain RPC calls, unexpected JavaScript execution from decoded smart contract responses, clipboard manipulation, Run dialogue abuse, unusual PowerShell or script interpreter activity, and connections to known malware staging patterns are stronger signals than domain reputation alone. Endpoint controls that restrict script execution and monitor clipboard-to-command workflows can reduce exposure.

Website owners face a parallel risk because ClearFake relies heavily on compromised web properties to reach victims. Outdated content management systems, vulnerable plugins, weak administrator credentials and poor file integrity monitoring continue to provide entry points for JavaScript injection. Regular patching, server-side integrity checks, strict content security policies and monitoring for unfamiliar script tags can limit the abuse of legitimate sites as malware launchpads.

MENAFN28052026000152002308ID1111180329