TF-1831885 high

Description

Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-14 02:15:28 UTC. Reporter: anonymous. Tags: ClearFake.

• Detecting Fake CAPTCHA Campaigns: ClickFix, ClearFake, and Etherhide
  web:blog.reconinfosec.com

  Our team recently observed a significant uptick in malware campaigns leveraging fake CAPTCHA pages to deploy info-stealers, loaders and remote access trojans (RATs). These lures are part of evolving social engineering chains that culminate in the delivery of threats like Lumma Stealer, Sliver, and Emmenhtal. Some variants including ClickFix and ClearFake , which utilize a novel technique known ...

  2026-06-19 13:40 UTC
• ClearFake's New Widespread Variant: Increased Web3 Exploitation for ...
  web:blog.sekoia.io

  ClearFake's New Widespread Variant: Increased Web3 Exploitation for Malware Delivery ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique. When it first emerged in July 2023, the injected code was designed to display a fake...

  2026-06-19 13:40 UTC
• New Clearfake Variant Leverages Fake reCAPTCHA To Trick Users Deliver ...
  web:cybersecuritynews.com

  Sekoia researchers noted that the ClearFake infrastructure includes over 9,300 compromised websites, with thousands of users potentially exposed to these malicious lures every day. The use of blockchain technology for malware delivery represents an emerging threat that makes traditional mitigation and blocking significantly more challenging.

  2026-06-19 13:40 UTC
• IOC Alert: ClearFake JavaScript Payload Delivered via Compromised Domain
  web:darkwebinformer.com

  📖 Overview A domain associated with the ClearFake JavaScript-based malware campaign has been identified. The domain currently displays a Cloudflare phishing warning and has been reported for malicious activity. ClearFake campaigns are known for distributing malicious scripts that deliver payloads or redirect users to further phishing pages. Confidence is assessed at 100%.

  2026-06-19 13:40 UTC
• ClearFake gets more evasive with new living off the land (LOTL ...
  web:expel.com

  ClearFake is a malware campaign which displays fake CAPTCHA challenges across hundreds of hacked websites. The fake CAPTCHA challenges use social engineering to lure visitors into installing malware . Recently, the campaign has adopted much more evasive tactics such as leveraging Proxy Execution to run PowerShell commands via a trusted Window ...

  2026-06-19 13:40 UTC
• ClearFake Malicious Framework Updates Tactics with Binance ... - RH-ISAC
  web:rhisac.org

  Context Sekoia researchers have released updates on ClearFake , a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by downloads and social engineering tactics. Initially observed in July 2023, ClearFake utilized fake browser update prompts to trick users into downloading malware . The latest 2025 variant introduces new lures, including fake ...

  2026-06-19 13:40 UTC
• ClearFake Infects 9,300 Sites, Uses Fake reCAPTCHA and Turnstile to ...
  web:thehackernews.com

  ClearFake malware infects 9,300+ websites, using fake reCAPTCHA and Web3 tactics to spread Lumma and Vidar Stealers, exposing 200,000+ users.

  2026-06-19 13:40 UTC
• ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval
  web:www.darktrace.com

  ClearFake is a campaign observed using a malicious JavaScript framework deployed on compromised websites, impacting sectors such as e‑commerce, travel, and automotive. First identified in mid‑2023, ClearFake is frequently leveraged to socially engineer victims into installing fake web browser updates.

  2026-06-19 13:40 UTC
• The Rapid Evolution of CLEARFAKE Delivery - kroll.com
  web:www.kroll.com

  Key Takeaways Kroll continues to observe a rapid evolution in how CLEARFAKE is delivering payloads to victims across all sectors. Clusters of evolved techniques include the use of data/time obfuscation to create filenames as well as variations of MSHTA usage. Despite the evolution, there remains a number of key themes that can assist in detection and mitigation of this threat, including ...

  2026-06-19 13:40 UTC
• ClearFake walkthrough - ThreatDown by Malwarebytes
  web:www.threatdown.com

  ClearFake , tested on June 3, 2024 Distribution (Compromised site->fake error->copy/paste PowerShell) ClearFake is a malware campaign using social engineering first discovered by Randy McEoin. It is one of the many "fake browser updates" inspired by OG SocGholish which leverages compromised websites to target potential victims. After a few months of stagnation, ClearFake has come back with ...

  2026-06-19 13:40 UTC

Indicators of Compromise (1)

Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.

References (2)

• Malpedia profile Threatfox IOCs/Threats
• ThreatFox IOC page Threatfox IOCs/Threats

  Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-14 02:15:28 UTC. Reporter: anonymous. Tags: ClearFake.

Only Available for Registered Users. Sign in to view.