s2
--:--:--UTC

Searching APEX

Starting…

  1. Searching Threats, IOCs & Threat Intelligence locally
  2. Querying external providers
  3. Asking AI Forensic Validator
  4. Creating new entry from validated hit

0s elapsed

TF-1825475 high

📛 Threat Title

ClearFake: Domain name that delivers a malware payload w18yfaze.yekbetiran.com

Category: ClearFake Published: Source updated: First seen: Last updated: Source: ThreatFox IOCs

Description

Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-09 11:26:40 UTC. Reporter: anonymous. Tags: ClearFake.

Remediations (10)

  • ClearFake: a newcomer to the "fake updates" threats landscape
    web:blog.sekoia.io

    ClearFake is a new malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. This blogpost aims at presenting a technical analysis of the ClearFake installation flow, the malware delivered by ClearFake , the C2 infrastructure and tracking opportunities.

  • ClearFake Uses BSC Testnet Smart Contracts for Takedown-Resistant ...
    web:cybersecuritynews.com

    ClearFake malware abused blockchain smart contracts and hacked websites to deliver stealthy, hard-to-stop infections.

  • IOC Alert: ClearFake JavaScript Payload Delivered via Compromised Domain
    web:darkwebinformer.com

    📖 Overview A domain associated with the ClearFake JavaScript-based malware campaign has been identified. The domain currently displays a Cloudflare phishing warning and has been reported for malicious activity. ClearFake campaigns are known for distributing malicious scripts that deliver payloads or redirect users to further phishing pages. Confidence is assessed at 100%.

  • ClearFake gets more evasive with new living off the land (LOTL ...
    web:expel.com

    ClearFake's latest campaign uses fake CAPTCHAs and social engineering trick victims into installing malware , and it's getting more evasive.

  • ClearFake Malicious Framework Updates Tactics with Binance ... - RH-ISAC
    web:rhisac.org

    Context Sekoia researchers have released updates on ClearFake , a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by downloads and social engineering tactics. Initially observed in July 2023, ClearFake utilized fake browser update prompts to trick users into downloading malware .

  • ClearFake Infects 9,300 Sites, Uses Fake reCAPTCHA and Turnstile to ...
    web:thehackernews.com

    ClearFake malware infects 9,300+ websites, using fake reCAPTCHA and Web3 tactics to spread Lumma and Vidar Stealers, exposing 200,000+ users.

  • ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval
    web:www.darktrace.com

    ClearFake continues to be observed across multiple sectors, but Darktrace remains well‑positioned to counter such threats. Because ClearFake's end goal is often to deliver malware such as information stealers and malware loaders, early disruption is critical to preventing compromise.

  • Threat Actors Push ClickFix Fake Browser Updates Using Stolen ...
    web:www.godaddy.com

    Key findings GoDaddy Security Researchers have noticed an increasing trend of threat actors using swarms of fake WordPress plugins to infect website visitors with malware . Fake plugins inject JavaScript for ClickFix Fake Browser Updates that use blockchain and smart contracts to obtain and deliver malicious payloads . Attack chain involves threat actors leveraging stolen admin credentials to ...

  • ClearFake Malware Campaign Analysis: Key Findings and ... - LinkedIn
    web:www.linkedin.com

    Key Findings From My Latest Threat Intelligence Project As promised, I am sharing some of the core insights from my recent analysis of the ClearFake malware campaign; an evolving browser-based ...

  • ClearFake walkthrough - ThreatDown by Malwarebytes
    web:www.threatdown.com

    ClearFake , tested on June 3, 2024 Distribution (Compromised site->fake error->copy/paste PowerShell) ClearFake is a malware campaign using social engineering first discovered by Randy McEoin. It is one of the many "fake browser updates" inspired by OG SocGholish which leverages compromised websites to target potential victims.

Indicators of Compromise (1)

Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.

domain w18yfaze.yekbetiran.com VT 8 / 91

IOC database

Type
domain
Value
w18yfaze.yekbetiran.com
First seen
Last seen
Attached to this threat
Appears in
1 threat
Description
Domain name that delivers a malware payload attributed to ClearFake

Open the full IOC page →

Threat Hunt — feed corroboration

Not present in any configured threat-intel feed.

Flagged by 8 of 91 VirusTotal vendors

VendorVerdictDetection
alphaMountain.ai malicious malicious
CRDF malicious malicious
Forcepoint ThreatSeeker malicious malicious
Fortinet malicious malware
Lionic malicious malicious
SOCRadar malicious malicious
Certego suspicious suspicious
Gridinsoft suspicious suspicious

Details From VirusTotal

Basic Properties
TLDcom
History
Creation date2025-05-15 00:00 UTC
Last analysis2026-06-09 14:10 UTC
Last modified on VirusTotal2026-06-10 08:18 UTC
Last WHOIS update2025-05-15 00:00 UTC

References (2)

  • Malpedia profile ThreatFox IOCs
  • ThreatFox IOC page ThreatFox IOCs

    Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-09 11:26:40 UTC. Reporter: anonymous. Tags: ClearFake.

AI Forensic Analysis

Only Available for Registered Users. Sign in to view.