← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.
MITRE ATT&CK & Malware Families
Indicators of Compromise (25)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-SHA256 | 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d | — | 2026-05-26 | |
| FileHash-SHA256 | 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910 | — | 2026-05-26 | |
| FileHash-SHA256 | a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885 | — | 2026-05-26 | |
| domain | put34b.camp | — | 2026-05-26 | |
| hostname | afraid.veloitall.cfd | — | 2026-05-26 | |
| hostname | ohn.stainedunstitch.work | — | 2026-05-26 | |
| hostname | ootid.srv-auth-dlt-msh.in.net | — | 2026-05-26 | |
| hostname | ren.trytoken.life | — | 2026-05-26 | |
| hostname | www.badischwaendi.ch | — | 2026-05-26 | |
| FileHash-MD5 | 4d63c25457d3d5bd37bcf7c3d10154e6 | MD5 of 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d | 2026-05-27 | |
| FileHash-MD5 | 6691ffa5af2d4d3b3dea04e69185a79d | MD5 of a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885 | 2026-05-27 | |
| FileHash-MD5 | 7405da969d14833a77b4049b3b6a39b9 | MD5 of 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910 | 2026-05-27 | |
| FileHash-SHA1 | 0eb9241b1530549c258537d647d2723879508778 | SHA1 of a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885 | 2026-05-27 | |
| FileHash-SHA1 | 4f72551703b84ae70b0837a97523c66b21c538e6 | SHA1 of 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910 | 2026-05-27 | |
| FileHash-SHA1 | b654603260e52faefd9b5b1aad1ca4bd233f9167 | SHA1 of 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d | 2026-05-27 | |
| FileHash-SHA256 | 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d | — | 2026-05-27 | |
| FileHash-SHA256 | 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910 | — | 2026-05-27 | |
| FileHash-SHA256 | a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885 | — | 2026-05-27 | |
| hostname | afraid.veloitall.cfd | — | 2026-05-27 | |
| hostname | getcfgs.qen9varol.lat | — | 2026-05-27 | |
| hostname | ohn.stainedunstitch.work | — | 2026-05-27 | |
| hostname | ootid.srv-auth-dlt-msh.in.net | — | 2026-05-27 | |
| hostname | ren.trytoken.life | — | 2026-05-27 | |
| hostname | root-cul.xamir3on.lat | — | 2026-05-27 | |
| hostname | www.badischwaendi.ch | — | 2026-05-27 |