Cyber Security News

New ClearFake Variant Uses Fake reCAPTCHA to Deploy Malicious PowerShell Code

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA and Cloudflare Turnstile verifications to deceive users into executing malicious PowerShell code.

This evolution marks a significant shift in how ClearFake exploits Web3 capabilities to deliver malware through compromised websites.

PowerShell CodePowerShell Code
Overview of the installation flow of the February 2025’s ClearFake variant

Technical Analysis of the New Variant

ClearFake, first detected in July 2023, initially used a straightforward JavaScript injection technique to trick users into downloading fake browser updates.

However, by December 2024, it had evolved to incorporate more sophisticated tactics.

The latest variant continues to exploit Web3 by interacting with the Binance Smart Chain, using smart contracts to host and load malicious JavaScript codes.

These interactions involve fingerprinting the victim’s system and downloading encrypted ClickFix lure HTML files, which are then decrypted and displayed to users.

ClickFix lures used by the February 2025’s ClearFake variant

The ClickFix tactic, introduced earlier, deceives users into executing PowerShell scripts by mimicking technical issues or error messages.

The ClearFake framework injects a brief JavaScript code into compromised websites, typically WordPress sites, to load and execute additional code segments from the Binance Smart Chain.

According to Sekoia Blog Report, this initial script uses the web3 library to interact with the blockchain, retrieving next-stage payloads that are obfuscated and stored within smart contracts.

The payloads are compressed with gzip and encoded in base64, requiring decoding and decompression before execution.

The use of smart contracts allows ClearFake to dynamically update its payloads without directly modifying the compromised websites.

Malware Delivery

The malicious framework delivers various malware loaders, including Emmenhtal Loader, which drops Lumma Stealer, and Vidar Stealer.

These loaders are designed to steal sensitive information from infected systems.

The latest variant’s reliance on fake reCAPTCHA and Cloudflare Turnstile verifications adds a layer of social engineering complexity, making it more challenging for users to distinguish legitimate security measures from malicious activities.

This evolution highlights the ongoing threat posed by ClearFake and the need for enhanced cybersecurity measures to protect against such sophisticated malware delivery tactics.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

14 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

14 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

15 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

17 hours ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

17 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

17 hours ago