← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery
WHITE AlienVault 2025-03-18 Modified: 2025-03-18
30
IOCs
MEDIUM VOLUME
ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads. Threat Actors compromise legitimate websites, injecting malicious JavaScript code that redirects users to convincing fake update pages for browsers like Chrome and Edge. These pages prompt users to download updates hosted on platforms such as Dropbox and OneDrive, which actually contain malware payloads. Notably, since late September, ClearFake has altered its code injection tactics, now utilizing smart contracts from the Binance Smart Chain.
clearfakebrowserupdatejavascriptwateringholeblockchain
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (30)
All URL
TYPEINDICATORDESCRIPTIONCREATED
URL http://80.64.30.238/evix.xll 2025-03-18
URL http://80.64.30.238/trip.psd dc1d54dab6ec8c00f70137927504e4f222c8395f10760b6beecfcfa94e08249f 2025-03-18
URL http://83.217.208.130/xfiles/Ohio.mp4 2025-03-18
URL http://83.217.208.130/xfiles/VIDA.mp3 2025-03-18
URL http://83.217.208.130/xfiles/VIDA.mp4 2025-03-18
URL http://83.217.208.130/xfiles/trip.mp4 2025-03-18
URL http://83.217.208.130/xfiles/trip.psd 2025-03-18
URL https://ads.green-pickle-jo.shop/1.m4a 2025-03-18
URL https://ai.fdswgw.shop/one.mp4 2025-03-18
URL https://discover-travel-agency.pro/1.m4a 2025-03-18
URL https://discover-travel-agency.pro/joke.m4a 2025-03-18
URL https://discover-travel-agency.pro/walking.mp3 e1ed30b9fb9cbcb62cfc1ba0e874ded614eee0c18761b8c62612a7619741d6e3 2025-03-18
URL https://dns-verify-me.pro/xfiles/train.mp4 2025-03-18
URL https://human-verify-4r.pro/xfiles/human.cpp 2025-03-18
URL https://human-verify-4r.pro/xfiles/verify.mp4 30517fa2fb275e4e2eed484ed7c0a262ad2f20d75d5354541deeb5b43802b5df 2025-03-18
URL https://human-verify.shop/xfiles/verify.mp4 2025-03-18
URL https://hur.bweqlkjr.shop/1a.m4a 2025-03-18
URL https://hur.bweqlkjr.shop/m41.mp4 2025-03-18
URL https://mnjk-jk.bsdfg-zmp-q-n.shop/1.mp4 2025-03-18
URL https://nbhg-v.iuksdfb-f.shop/ajax.mp3 2025-03-18
URL https://note1.nz7bn.pro/nnp.mp4 2025-03-18
URL https://recaptcha-manual.shop/kangarooing.m4a 2025-03-18
URL https://recaptcha-verify-4h.pro/kangarooing.m4a 2025-03-18
URL https://recaptcha-verify-4h.pro/xfiles/kangarooing.vsdx 2025-03-18
URL https://recaptcha-verify-4h.pro/xfiles/verify.mp4 2025-03-18
URL https://sandbox.yunqof.shop/macan.mp3 2025-03-18
URL https://start.cleaning-room-device.shop/sha589.m4a 2025-03-18
URL https://tumbl.design-x.xyz/glass.mp3 2025-03-18
URL https://yob.yrwebsdf.shop/1a.m4a 343b1956cff9bb236a78bd969f50eb02aa2ee391c75d570b297b6f07a705297b 2025-03-18
URL https://yob.yrwebsdf.shop/3t.mp4 2025-03-18
References (1)
↗ https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/