TF-1825658 high

Description

Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-10 01:27:43 UTC. Reporter: anonymous. Tags: ClearFake.

• ClearFake: a newcomer to the "fake updates" threats landscape
  web:blog.sekoia.io

  ClearFake is a new malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. This blogpost aims at presenting a technical analysis of the ClearFake installation flow, the malware delivered by ClearFake , the C2 infrastructure and tracking opportunities.

  2026-06-19 02:14 UTC
• New Clearfake Variant Leverages Fake reCAPTCHA To Trick Users Deliver ...
  web:cybersecuritynews.com

  Sekoia researchers noted that the ClearFake infrastructure includes over 9,300 compromised websites, with thousands of users potentially exposed to these malicious lures every day. The use of blockchain technology for malware delivery represents an emerging threat that makes traditional mitigation and blocking significantly more challenging.

  2026-06-19 02:14 UTC
• ClearFake gets more evasive with new living off the land (LOTL ...
  web:expel.com

  ClearFake's latest campaign uses fake CAPTCHAs and social engineering trick victims into installing malware , and it's getting more evasive.

  2026-06-19 02:14 UTC
• ClearFake Malicious Framework Updates Tactics with Binance ... - RH-ISAC
  web:rhisac.org

  Context Sekoia researchers have released updates on ClearFake , a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by downloads and social engineering tactics. Initially observed in July 2023, ClearFake utilized fake browser update prompts to trick users into downloading malware .

  2026-06-19 02:14 UTC
• ClearFake Infects 9,300 Sites, Uses Fake reCAPTCHA and Turnstile to ...
  web:thehackernews.com

  ClearFake malware infects 9,300+ websites, using fake reCAPTCHA and Web3 tactics to spread Lumma and Vidar Stealers, exposing 200,000+ users.

  2026-06-19 02:14 UTC
• ThreatFox | ClearFake
  web:threatfox.abuse.ch

  ThreatFox Database Indicators of Compromise (IOCs) on ThreatFox are associated with a certain malware fas. A malware sample can be associated with only one malware family. The page below gives you an overview on indicators of compromise associated with js. clearfake . You can also get this data through the ThreatFox API. Database Entry

  2026-06-19 02:14 UTC
• ThreatFox | izlayynu.winsportiran.com
  web:threatfox.abuse.ch

  ClearFake IOC: izlayynu.winsportiran.com ( domain ) You are viewing the ThreatFox database entry for domain izlayynu.winsportiran.com .

  2026-06-19 02:14 UTC
• ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval
  web:www.darktrace.com

  ClearFake continues to be observed across multiple sectors, but Darktrace remains well‑positioned to counter such threats. Because ClearFake's end goal is often to deliver malware such as information stealers and malware loaders, early disruption is critical to preventing compromise.

  2026-06-19 02:14 UTC
• CLEARFAKE Utilizes Drive-by Compromise to Deliver Information ... - Kroll
  web:www.kroll.com

  CLEARFAKE Update Tricks Victim into Executing Malicious PowerShell Code CLEARFAKE is the term used to describe the malicious in-browser JavaScript framework deployed on compromised webpages as part of drive-by compromise campaigns to deliver information stealers.

  2026-06-19 02:14 UTC
• ClearFake walkthrough - ThreatDown by Malwarebytes
  web:www.threatdown.com

  ClearFake , tested on June 3, 2024 Distribution (Compromised site->fake error->copy/paste PowerShell) ClearFake is a malware campaign using social engineering first discovered by Randy McEoin. It is one of the many "fake browser updates" inspired by OG SocGholish which leverages compromised websites to target potential victims.

  2026-06-19 02:14 UTC

Indicators of Compromise (1)

Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.

References (2)

• Malpedia profile ThreatFox IOCs
• ThreatFox IOC page ThreatFox IOCs

  Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-10 01:27:43 UTC. Reporter: anonymous. Tags: ClearFake.

Only Available for Registered Users. Sign in to view.