s2
--:--:--UTC

Searching APEX

Starting…

  1. Searching Threats, IOCs & Threat Intelligence locally
  2. Querying external providers
  3. Asking AI Forensic Validator
  4. Creating new entry from validated hit

0s elapsed

TF-1825272 high

📛 Threat Title

ClearFake: Domain name that delivers a malware payload winmastersbetiran.com

Category: ClearFake Published: Source updated: First seen: Last updated: Source: ThreatFox IOCs

Description

Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-08 22:14:07 UTC. Last seen: 2026-06-08 22:14:12 UTC. Reporter: Gi7w0rm. Tags: 8June2026, ClearFake, Commandline, macOS.

Remediations (10)

  • ClearFake Uses BSC Testnet Smart Contracts for Takedown-Resistant ...
    web:cybersecuritynews.com

    ClearFake malware abused blockchain smart contracts and hacked websites to deliver stealthy, hard-to-stop infections.

  • New ClearFake Campaign Leveraging Proxy Execution to Run PowerShell ...
    web:cybersecuritynews.com

    ClearFake has entered a new and more dangerous phase, turning a familiar fake CAPTCHA scam into a highly evasive malware delivery chain. Across hundreds of hacked websites, visitors now see what looks like a routine verification challenge, but behind the scenes the page is preparing to launch hidden code.

  • IOC Alert: ClearFake JavaScript Payload Delivered via Compromised Domain
    web:darkwebinformer.com

    📖 Overview A domain associated with the ClearFake JavaScript-based malware campaign has been identified. The domain currently displays a Cloudflare phishing warning and has been reported for malicious activity. ClearFake campaigns are known for distributing malicious scripts that deliver payloads or redirect users to further phishing pages. Confidence is assessed at 100%.

  • ClearFake malware Exploits Proxy Execution to Run Malicious ... - GBHackers
    web:gbhackers.com

    Security researchers noted that ClearFake operates as a traffic distribution system, where the operators mass-compromise websites and sell access to other threat actors who want to distribute their payloads across the infected network. This business model explains the wide variety of malware families delivered through the campaign.

  • ClearFake Malicious Framework Updates Tactics with Binance ... - RH-ISAC
    web:rhisac.org

    Context Sekoia researchers have released updates on ClearFake , a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by downloads and social engineering tactics. Initially observed in July 2023, ClearFake utilized fake browser update prompts to trick users into downloading malware .

  • ClearFake malware payload delivery - securereading.com
    web:securereading.com

    The infrastructure abuses a trusted content delivery network (CDN) to host and distribute malicious content, increasing the likelihood of successful delivery. The URL was flagged with high confidence (100%) and classified as payload delivery, indicating its role in active malware campaigns rather than passive infrastructure.

  • ClearFake Infects 9,300 Sites, Uses Fake reCAPTCHA and Turnstile to ...
    web:thehackernews.com

    The threat actors behind the ClearFake campaign are using fake reCAPTCHA or Cloudflare Turnstile verifications as lures to trick users into downloading malware such as Lumma Stealer and Vidar Stealer. ClearFake , first highlighted in July 2023, is the name given to a threat activity cluster that ...

  • ThreatFox | ClearFake
    web:threatfox.abuse.ch

    ThreatFox Database Indicators of Compromise (IOCs) on ThreatFox are associated with a certain malware fas. A malware sample can be associated with only one malware family. The page below gives you an overview on indicators of compromise associated with js. clearfake . You can also get this data through the ThreatFox API. Database Entry

  • ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval
    web:www.darktrace.com

    ClearFake continues to be observed across multiple sectors, but Darktrace remains well‑positioned to counter such threats. Because ClearFake's end goal is often to deliver malware such as information stealers and malware loaders, early disruption is critical to preventing compromise.

  • ClearFake Malware Campaign Analysis: Key Findings and ... - LinkedIn
    web:www.linkedin.com

    Key Findings From My Latest Threat Intelligence Project As promised, I am sharing some of the core insights from my recent analysis of the ClearFake malware campaign; an evolving browser-based ...

Indicators of Compromise (1)

Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.

domain winmastersbetiran.com

IOC database

Type
domain
Value
winmastersbetiran.com
First seen
Last seen
Attached to this threat
Appears in
1 threat
Description
Domain name that delivers a malware payload attributed to ClearFake

Open the full IOC page →

Threat Hunt — feed corroboration

Not present in any configured threat-intel feed.

Details From VirusTotal

No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.

References (2)

  • Malpedia profile ThreatFox IOCs
  • ThreatFox IOC page ThreatFox IOCs

    Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-08 22:14:07 UTC. Last seen: 2026-06-08 22:14:12 UTC. Reporter: Gi7w0rm. Tags: 8June2026, ClearFake, Commandline, macOS.

AI Forensic Analysis

Only Available for Registered Users. Sign in to view.