TF-1825273
high
📛 Threat Title
ClearFake: Domain name that delivers a malware payload e40nbbpq.winmastersbetiran.com
Description
Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-08 22:15:36 UTC. Reporter: anonymous. Tags: ClearFake.
Remediations (10)
-
web:blog.sekoia.io
ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.
-
web:cybersecuritynews.com
ClearFake malware abused blockchain smart contracts and hacked websites to deliver stealthy, hard-to-stop infections.
-
web:cybersecuritynews.com
ClearFake , a malicious JavaScript framework first identified in July 2023, has evolved with sophisticated new social engineering tactics. Originally designed to display fake browser update pages, the framework has undergone significant developments, incorporating more advanced deception techniques to deliver malware through compromised websites.
-
web:darkwebinformer.com
A domain -based indicator has been identified delivering ClearFake JavaScript malware . The domain is flagged for phishing and payload delivery activity and is associated with malicious script injection campaigns designed to trick users into interacting with fraudulent browser updates or phishing pages.
-
web:expel.com
ClearFake's latest campaign uses fake CAPTCHAs and social engineering trick victims into installing malware , and it's getting more evasive.
-
web:rhisac.org
Context Sekoia researchers have released updates on ClearFake , a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by downloads and social engineering tactics. Initially observed in July 2023, ClearFake utilized fake browser update prompts to trick users into downloading malware .
-
web:thehackernews.com
ClearFake malware infects 9,300+ websites, using fake reCAPTCHA and Web3 tactics to spread Lumma and Vidar Stealers, exposing 200,000+ users.
-
web:www.darktrace.com
Darktrace detected a potential ClearFake‑related incident involving signs of EtherHiding activity and interactions with blockchain‑based infrastructure. A single device showed repeated suspicious command‑line behavior, primarily involving Microsoft HTML Application Host. The activity occurred over the course of a day and indicated early‑stage attempts to load malicious content ...
-
web:www.kroll.com
Key Takeaways Kroll continues to observe a rapid evolution in how CLEARFAKE is delivering payloads to victims across all sectors. Clusters of evolved techniques include the use of data/time obfuscation to create filenames as well as variations of MSHTA usage. Despite the evolution, there remains a number of key themes that can assist in detection and mitigation of this threat, including ...
-
web:www.linkedin.com
A sophisticated evolution of the ClearFake malware campaign has emerged, deploying advanced evasion techniques that abuse legitimate Windows components to bypass endpoint detection systems. The ...
Indicators of Compromise (1)
Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.
domain
e40nbbpq.winmastersbetiran.com
IOC database
- Type
- domain
- Value
e40nbbpq.winmastersbetiran.com- First seen
- Last seen
- Attached to this threat
- Appears in
- 1 threat
- Description
- Domain name that delivers a malware payload attributed to ClearFake
Threat Hunt — feed corroboration
Not present in any configured threat-intel feed.
Details From VirusTotal
No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.
References (2)
- Malpedia profile ThreatFox IOCs
-
ThreatFox IOC page
ThreatFox IOCs
Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-08 22:15:36 UTC. Reporter: anonymous. Tags: ClearFake.
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.