TF-1825793
high
📛 Threat Title
ClearFake: Domain name that delivers a malware payload 0xln2imp.yekbetiran.com
Description
Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-10 07:34:10 UTC. Last seen: 2026-06-11 08:35:15 UTC. Reporter: anonymous. Tags: ClearFake.
Remediations (10)
-
web:cybersecuritynews.com
ClearFake malware abused blockchain smart contracts and hacked websites to deliver stealthy, hard-to-stop infections.
-
web:cybersecuritynews.com
ClearFake has entered a new and more dangerous phase, turning a familiar fake CAPTCHA scam into a highly evasive malware delivery chain. Across hundreds of hacked websites, visitors now see what looks like a routine verification challenge, but behind the scenes the page is preparing to launch hidden code.
-
web:darkwebinformer.com
📖 Overview A domain associated with the ClearFake JavaScript-based malware campaign has been identified. The domain currently displays a Cloudflare phishing warning and has been reported for malicious activity. ClearFake campaigns are known for distributing malicious scripts that deliver payloads or redirect users to further phishing pages. Confidence is assessed at 100%.
-
web:darkwebinformer.com
A domain -based indicator has been identified delivering ClearFake JavaScript malware . The domain is flagged for phishing and payload delivery activity and is associated with malicious script injection campaigns designed to trick users into interacting with fraudulent browser updates or phishing pages.
-
web:expel.com
ClearFake's latest campaign uses fake CAPTCHAs and social engineering trick victims into installing malware , and it's getting more evasive.
-
web:rhisac.org
Context Sekoia researchers have released updates on ClearFake , a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by downloads and social engineering tactics. Initially observed in July 2023, ClearFake utilized fake browser update prompts to trick users into downloading malware .
-
web:thehackernews.com
ClearFake malware infects 9,300+ websites, using fake reCAPTCHA and Web3 tactics to spread Lumma and Vidar Stealers, exposing 200,000+ users.
-
web:www.darktrace.com
ClearFake continues to be observed across multiple sectors, but Darktrace remains well‑positioned to counter such threats. Because ClearFake's end goal is often to deliver malware such as information stealers and malware loaders, early disruption is critical to preventing compromise.
-
web:www.kroll.com
CLEARFAKE Update Tricks Victim into Executing Malicious PowerShell Code CLEARFAKE is the term used to describe the malicious in-browser JavaScript framework deployed on compromised webpages as part of drive-by compromise campaigns to deliver information stealers.
-
web:www.linkedin.com
A sophisticated evolution of the ClearFake malware campaign has emerged, deploying advanced evasion techniques that abuse legitimate Windows components to bypass endpoint detection systems. The ...
Indicators of Compromise (1)
Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.
domain
0xln2imp.yekbetiran.com
IOC database
- Type
- domain
- Value
0xln2imp.yekbetiran.com- First seen
- Last seen
- Attached to this threat
- Appears in
- 1 threat
- Description
- Ingested from IOC source: https://threatfox.abuse.ch/downloads/hostfile/
Threat Hunt — feed corroboration
Not present in any configured threat-intel feed.
Details From VirusTotal
No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.
References (2)
- Malpedia profile ThreatFox IOCs
-
ThreatFox IOC page
ThreatFox IOCs
Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-10 07:34:10 UTC. Reporter: anonymous. Tags: ClearFake.
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.