s2
--:--:--UTC

Searching APEX

Starting…

  1. Searching Threats, IOCs & Threat Intelligence locally
  2. Querying external providers
  3. Asking AI Forensic Validator
  4. Creating new entry from validated hit

0s elapsed

TF-1832610 high

📛 Threat Title

ClearFake: Domain name that delivers a malware payload xoqlqpdb.psgnewsiran.com

Category: ClearFake Published: Source updated: First seen: Last updated: Source: Threatfox IOCs/Threats

Description

Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-16 09:34:43 UTC. Reporter: anonymous. Tags: ClearFake.

Remediations (10)

  • ClearFake: a newcomer to the "fake updates" threats landscape
    web:blog.sekoia.io

    ClearFake is a new malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. This blogpost aims at presenting a technical analysis of the ClearFake installation flow, the malware delivered by ClearFake , the C2 infrastructure and tracking opportunities.

  • New Clearfake Variant Leverages Fake reCAPTCHA To Trick Users Deliver ...
    web:cybersecuritynews.com

    Sekoia researchers noted that the ClearFake infrastructure includes over 9,300 compromised websites, with thousands of users potentially exposed to these malicious lures every day. The use of blockchain technology for malware delivery represents an emerging threat that makes traditional mitigation and blocking significantly more challenging.

  • ClearFake gets more evasive with new living off the land (LOTL ...
    web:expel.com

    ClearFake's latest campaign uses fake CAPTCHAs and social engineering trick victims into installing malware , and it's getting more evasive.

  • ClearFake Infects 9,300 Sites, Uses Fake reCAPTCHA and Turnstile to ...
    web:thehackernews.com

    ClearFake malware infects 9,300+ websites, using fake reCAPTCHA and Web3 tactics to spread Lumma and Vidar Stealers, exposing 200,000+ users.

  • ThreatFox | ClearFake
    web:threatfox.abuse.ch

    ThreatFox Database Indicators of Compromise (IOCs) on ThreatFox are associated with a certain malware fas. A malware sample can be associated with only one malware family. The page below gives you an overview on indicators of compromise associated with js. clearfake . You can also get this data through the ThreatFox API. Database Entry

  • ClearFake Campaign - Delivering Malware via "Fake Browser Updates
    web:www.bridewell.com

    By using watering-hole style attacks, the ClearFake campaign aims to deliver malicious payloads through execution of malicious JavaScript commands, delivered to legitimate, compromised websites through WordPress vulnerabilities and plugins. We have outlined recommendations to ensure that organisations are protected against this threat.

  • ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval
    web:www.darktrace.com

    ClearFake continues to be observed across multiple sectors, but Darktrace remains well‑positioned to counter such threats. Because ClearFake's end goal is often to deliver malware such as information stealers and malware loaders, early disruption is critical to preventing compromise.

  • CLEARFAKE Utilizes Drive-by Compromise to Deliver Information ... - Kroll
    web:www.kroll.com

    CLEARFAKE Update Tricks Victim into Executing Malicious PowerShell Code CLEARFAKE is the term used to describe the malicious in-browser JavaScript framework deployed on compromised webpages as part of drive-by compromise campaigns to deliver information stealers.

  • ClearFake malware Exploits Proxy Execution to Run Malicious ... - LinkedIn
    web:www.linkedin.com

    A sophisticated evolution of the ClearFake malware campaign has emerged, deploying advanced evasion techniques that abuse legitimate Windows components to bypass endpoint detection systems. The ...

  • ClearFake Malware Framework: Latest Variant Analysis and Mitigation ...
    web:www.nocurity.com

    A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA and Cloudflare Turnstile challenges to deceive users into executing malicious PowerShell commands. This evolution marks a significant escalation in the threat's capabilities, as it continues to exploit Web3 technologies for malware delivery.

Indicators of Compromise (1)

Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.

domain xoqlqpdb.psgnewsiran.com

IOC database

Type
domain
Value
xoqlqpdb.psgnewsiran.com
First seen
Last seen
Attached to this threat
Appears in
1 threat
Description
Domain name that delivers a malware payload attributed to ClearFake

Open the full IOC page →

Threat Hunt — feed corroboration

Not present in any configured threat-intel feed.

Details From VirusTotal

No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.

References (2)

  • Malpedia profile Threatfox IOCs/Threats
  • ThreatFox IOC page Threatfox IOCs/Threats

    Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-16 09:34:43 UTC. Reporter: anonymous. Tags: ClearFake.

AI Forensic Analysis

Only Available for Registered Users. Sign in to view.