← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
WHITE celestre 2026-05-27 Modified: 2026-05-27
10
IOCs
LOW VOLUME
TrendAI™ Research analyzed in May 2026 an intrusion where threat actors used a technique known as EtherHidingnews article to store payload routing instructions inside BNB Smart Chain (formerly Binance Smart Chain or BSC) smart contracts. Unlike traditional command-and-control (C&C) infrastructure, this routing layer cannot be altered, suspended, or seized by security vendors, registrars, or law enforcement due to the immutable nature of the blockchain. TrendAI™ found that the injected JavaScript on compromised websites queried these contracts to retrieve and route victims to the next stage of the attack chain.
smart contractbsc testneta stageclearfakestageusersmart contractsclearfake hidplain sightiocswebdav
Indicators of Compromise (10)
All FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d 2026-05-27
FileHash-SHA256 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910 2026-05-27
FileHash-SHA256 a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885 2026-05-27
domain put34b.camp 2026-05-27
hostname afraid.veloitall.cfd 2026-05-27
hostname getcfgs.qen9varol.lat 2026-05-27
hostname ohn.stainedunstitch.work 2026-05-27
hostname ootid.srv-auth-dlt-msh.in.net 2026-05-27
hostname ren.trytoken.life 2026-05-27
hostname root-cul.xamir3on.lat 2026-05-27
References (1)
↗ https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html