TF-1832802
high
📛 Threat Title
ClearFake: Domain name that delivers a malware payload eoubkysl.psgnewsiran.com
Description
Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-16 21:07:24 UTC. Reporter: anonymous. Tags: ClearFake.
Remediations (10)
-
web:cybersecuritynews.com
ClearFake malware abused blockchain smart contracts and hacked websites to deliver stealthy, hard-to-stop infections.
-
web:cybersecuritynews.com
ClearFake , a malicious JavaScript framework first identified in July 2023, has evolved with sophisticated new social engineering tactics. Originally designed to display fake browser update pages, the framework has undergone significant developments, incorporating more advanced deception techniques to deliver malware through compromised websites.
-
web:expel.com
ClearFake's latest campaign uses fake CAPTCHAs and social engineering trick victims into installing malware , and it's getting more evasive.
-
web:rhisac.org
Context Sekoia researchers have released updates on ClearFake , a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by downloads and social engineering tactics. Initially observed in July 2023, ClearFake utilized fake browser update prompts to trick users into downloading malware .
-
web:thehackernews.com
ClearFake malware infects 9,300+ websites, using fake reCAPTCHA and Web3 tactics to spread Lumma and Vidar Stealers, exposing 200,000+ users.
-
web:threatfox.abuse.ch
ThreatFox Database Indicators of Compromise (IOCs) on ThreatFox are associated with a certain malware fas. A malware sample can be associated with only one malware family. The page below gives you an overview on indicators of compromise associated with js. clearfake . You can also get this data through the ThreatFox API. Database Entry
-
web:www.bridewell.com
By using watering-hole style attacks, the ClearFake campaign aims to deliver malicious payloads through execution of malicious JavaScript commands, delivered to legitimate, compromised websites through WordPress vulnerabilities and plugins. We have outlined recommendations to ensure that organisations are protected against this threat.
-
web:www.darktrace.com
ClearFake continues to be observed across multiple sectors, but Darktrace remains well‑positioned to counter such threats. Because ClearFake's end goal is often to deliver malware such as information stealers and malware loaders, early disruption is critical to preventing compromise.
-
web:www.kroll.com
CLEARFAKE Update Tricks Victim into Executing Malicious PowerShell Code CLEARFAKE is the term used to describe the malicious in-browser JavaScript framework deployed on compromised webpages as part of drive-by compromise campaigns to deliver information stealers.
-
web:www.linkedin.com
A sophisticated evolution of the ClearFake malware campaign has emerged, deploying advanced evasion techniques that abuse legitimate Windows components to bypass endpoint detection systems. The ...
Indicators of Compromise (1)
Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.
domain
eoubkysl.psgnewsiran.com
IOC database
- Type
- domain
- Value
eoubkysl.psgnewsiran.com- First seen
- Last seen
- Attached to this threat
- Appears in
- 1 threat
- Description
- Domain name that delivers a malware payload attributed to ClearFake
Threat Hunt — feed corroboration
Not present in any configured threat-intel feed.
Details From VirusTotal
No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.
References (2)
- Malpedia profile Threatfox IOCs/Threats
-
ThreatFox IOC page
Threatfox IOCs/Threats
Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-16 21:07:24 UTC. Reporter: anonymous. Tags: ClearFake.
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.