{ "type": "URL", "indicator": "https://human-verify-4r.pro/xfiles/human.cpp", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://human-verify-4r.pro/xfiles/human.cpp", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4048767047, "indicator": "https://human-verify-4r.pro/xfiles/human.cpp", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "67d940dac8271dd8807e87b9", "name": "ClearFake\u2019s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery", "description": "ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads. Threat Actors compromise legitimate websites, injecting malicious JavaScript code that redirects users to convincing fake update pages for browsers like Chrome and Edge. These pages prompt users to download updates hosted on platforms such as Dropbox and OneDrive, which actually contain malware payloads. Notably, since late September, ClearFake has altered its code injection tactics, now utilizing smart contracts from the Binance Smart Chain.", "modified": "2025-03-18T09:46:45.911000", "created": "2025-03-18T09:46:02.275000", "tags": [ "clearfake", "browserupdate", "javascript", "wateringhole", "blockchain" ], "references": [ "https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 30 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 386551, "modified_text": "439 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67dadbb52c53733cf6a7d787", "name": "ClearFake\u2019s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery - Sekoia.io Blog", "description": "", "modified": "2025-04-18T14:04:03.769000", "created": "2025-03-19T14:59:01.403000", "tags": [ "clearfake", "binance smart", "clickfix lure", "february", "javascript code", "powershell", "html", "chain", "javascript", "urls", "june", "lumma stealer", "loader", "code", "download", "restart", "amadey", "stealc", "lambda", "python" ], "references": [ "https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/#h-iocs-amp-technical-details" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "FileHash-MD5": 2, "domain": 7, "hostname": 14 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67da1922c6176ae1dda3f448", "name": "ClearFake Leverages Fake reCAPTCHA to Deliver Malicious PowerShell Codes", "description": "ClearFake which is a malicious JavaScript framework, leverages fake\nreCAPTCHA to trick users to deliver malicious PowerShell codes.", "modified": "2025-04-18T01:04:02.425000", "created": "2025-03-19T01:08:50.730000", "tags": [ "iocs", "conduct", "https", "urls", "update", "siem", "strategies", "update siem" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "domain": 7, "hostname": 11 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ee1f0006e7c0f94c92d481", "name": "ClearFake\u2019s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery", "description": "", "modified": "2025-04-03T05:39:12.043000", "created": "2025-04-03T05:39:12.043000", "tags": [ "clearfake", "browserupdate", "javascript", "wateringhole", "blockchain" ], "references": [ "https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": "67d940dac8271dd8807e87b9", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "423 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67da6ecd119258e8279c93a4", "name": "IOC&TTP - ClearFake\u2019s New Widespread Variant Increased Web3 Exploitation for Malware Delivery", "description": "ClearFake \u662f\u4e00\u79cd\u6076\u610f JavaScript \u6846\u67b6\uff0c\u90e8\u7f72\u5728\u53d7\u611f\u67d3\u7684\u7f51\u7ad9\u4e0a\uff0c\u901a\u8fc7\u201c\u70b9\u51fb\u4fee\u590d (ClickFix)\u201d\u7684\u793e\u4f1a\u5de5\u7a0b\u6280\u672f\u8bf1\u9a97\u7528\u6237\u6267\u884c PowerShell \u547d\u4ee4\uff0c\u4ee5\u8fbe\u5230\u690d\u5165\u6076\u610f\u8f6f\u4ef6\u7684\u76ee\u7684\u3002\u8be5\u6846\u67b6\u81ea 2023 \u5e74 7 \u6708\u9996\u6b21\u51fa\u73b0\u540e\uff0c\u4e0d\u65ad\u6f14\u53d8\uff0c\u5e76\u5728 2024 \u5e74 12 \u6708\u5f15\u5165\u65b0\u7684\u8bf1\u5bfc\u624b\u6cd5\uff0c\u5305\u62ec\u4f2a\u9020\u7684 Cloudflare Turnstile \u9a8c\u8bc1\u548c reCAPTCHA \u9a8c\u8bc1\u9875\u9762\uff0c\u4f7f\u53d7\u5bb3\u8005\u8bef\u4ee5\u4e3a\u9047\u5230\u7f51\u7edc\u9519\u8bef\uff0c\u4ece\u800c\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002\u6700\u65b0\u53d8\u79cd\u8fd8\u52a0\u5927\u4e86\u5bf9 Web3 \u6280\u672f\u7684\u5229\u7528\uff0c\u901a\u8fc7 Binance Smart Chain (BSC) \u667a\u80fd\u5408\u7ea6\u5b58\u50a8 JavaScript \u4ee3\u7801\uff0c\u5e76\u52a8\u6001\u52a0\u8f7d\u6076\u610f\u7ec4\u4ef6\uff0c\u4ee5\u589e\u5f3a\u9690\u853d\u6027\u548c\u6301\u4e45\u6027\u3002\u8be5\u53d8\u79cd\u4e3b\u8981\u6295\u653e Lumma Stealer \u548c Vidar Stealer \u7b49\u4fe1\u606f\u7a83\u53d6\u6076\u610f\u8f6f\u4ef6\u3002\u672c\u6587\u5c06\u6df1\u5165\u5206\u6790\u8be5\u6076\u610f\u8f6f\u4ef6\u7684 TTPs (\u6218\u672f\u3001\u6280\u672f\u548c\u7a0b\u5e8f)\uff0c\u5305\u62ec\u5176\u5b8c\u6574\u7684\u653b\u51fb\u94fe\u3001MITRE ATT&CK \u6280\u672f\u6620\u5c04\u4ee5\u53ca\u5efa\u8bae\u7684\u9632\u5fa1\u63aa\u65bd\u3002", "modified": "2025-03-19T07:14:31.855000", "created": "2025-03-19T07:14:21.249000", "tags": [ "clearfake", "browserupdate", "javascript", "wateringhole", "blockchain" ], "references": [ "https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": "67d940dac8271dd8807e87b9", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "438 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/", "https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/#h-iocs-amp-technical-details" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 30 }, "other": { "adversary": [ "CryptoGen Cyber Threat Intelligence Advisory" ], "malware_families": [], "industries": [], "unique_indicators": 64 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/human-verify-4r.pro", "whois": "http://whois.domaintools.com/human-verify-4r.pro", "domain": "human-verify-4r.pro", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "67d940dac8271dd8807e87b9", "name": "ClearFake\u2019s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery", "description": "ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through drive-by downloads. Threat Actors compromise legitimate websites, injecting malicious JavaScript code that redirects users to convincing fake update pages for browsers like Chrome and Edge. These pages prompt users to download updates hosted on platforms such as Dropbox and OneDrive, which actually contain malware payloads. Notably, since late September, ClearFake has altered its code injection tactics, now utilizing smart contracts from the Binance Smart Chain.", "modified": "2025-03-18T09:46:45.911000", "created": "2025-03-18T09:46:02.275000", "tags": [ "clearfake", "browserupdate", "javascript", "wateringhole", "blockchain" ], "references": [ "https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 30 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 386551, "modified_text": "439 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67dadbb52c53733cf6a7d787", "name": "ClearFake\u2019s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery - Sekoia.io Blog", "description": "", "modified": "2025-04-18T14:04:03.769000", "created": "2025-03-19T14:59:01.403000", "tags": [ "clearfake", "binance smart", "clickfix lure", "february", "javascript code", "powershell", "html", "chain", "javascript", "urls", "june", "lumma stealer", "loader", "code", "download", "restart", "amadey", "stealc", "lambda", "python" ], "references": [ "https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/#h-iocs-amp-technical-details" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "FileHash-MD5": 2, "domain": 7, "hostname": 14 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67da1922c6176ae1dda3f448", "name": "ClearFake Leverages Fake reCAPTCHA to Deliver Malicious PowerShell Codes", "description": "ClearFake which is a malicious JavaScript framework, leverages fake\nreCAPTCHA to trick users to deliver malicious PowerShell codes.", "modified": "2025-04-18T01:04:02.425000", "created": "2025-03-19T01:08:50.730000", "tags": [ "iocs", "conduct", "https", "urls", "update", "siem", "strategies", "update siem" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "domain": 7, "hostname": 11 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ee1f0006e7c0f94c92d481", "name": "ClearFake\u2019s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery", "description": "", "modified": "2025-04-03T05:39:12.043000", "created": "2025-04-03T05:39:12.043000", "tags": [ "clearfake", "browserupdate", "javascript", "wateringhole", "blockchain" ], "references": [ "https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": "67d940dac8271dd8807e87b9", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "423 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67da6ecd119258e8279c93a4", "name": "IOC&TTP - ClearFake\u2019s New Widespread Variant Increased Web3 Exploitation for Malware Delivery", "description": "ClearFake \u662f\u4e00\u79cd\u6076\u610f JavaScript \u6846\u67b6\uff0c\u90e8\u7f72\u5728\u53d7\u611f\u67d3\u7684\u7f51\u7ad9\u4e0a\uff0c\u901a\u8fc7\u201c\u70b9\u51fb\u4fee\u590d (ClickFix)\u201d\u7684\u793e\u4f1a\u5de5\u7a0b\u6280\u672f\u8bf1\u9a97\u7528\u6237\u6267\u884c PowerShell \u547d\u4ee4\uff0c\u4ee5\u8fbe\u5230\u690d\u5165\u6076\u610f\u8f6f\u4ef6\u7684\u76ee\u7684\u3002\u8be5\u6846\u67b6\u81ea 2023 \u5e74 7 \u6708\u9996\u6b21\u51fa\u73b0\u540e\uff0c\u4e0d\u65ad\u6f14\u53d8\uff0c\u5e76\u5728 2024 \u5e74 12 \u6708\u5f15\u5165\u65b0\u7684\u8bf1\u5bfc\u624b\u6cd5\uff0c\u5305\u62ec\u4f2a\u9020\u7684 Cloudflare Turnstile \u9a8c\u8bc1\u548c reCAPTCHA \u9a8c\u8bc1\u9875\u9762\uff0c\u4f7f\u53d7\u5bb3\u8005\u8bef\u4ee5\u4e3a\u9047\u5230\u7f51\u7edc\u9519\u8bef\uff0c\u4ece\u800c\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002\u6700\u65b0\u53d8\u79cd\u8fd8\u52a0\u5927\u4e86\u5bf9 Web3 \u6280\u672f\u7684\u5229\u7528\uff0c\u901a\u8fc7 Binance Smart Chain (BSC) \u667a\u80fd\u5408\u7ea6\u5b58\u50a8 JavaScript \u4ee3\u7801\uff0c\u5e76\u52a8\u6001\u52a0\u8f7d\u6076\u610f\u7ec4\u4ef6\uff0c\u4ee5\u589e\u5f3a\u9690\u853d\u6027\u548c\u6301\u4e45\u6027\u3002\u8be5\u53d8\u79cd\u4e3b\u8981\u6295\u653e Lumma Stealer \u548c Vidar Stealer \u7b49\u4fe1\u606f\u7a83\u53d6\u6076\u610f\u8f6f\u4ef6\u3002\u672c\u6587\u5c06\u6df1\u5165\u5206\u6790\u8be5\u6076\u610f\u8f6f\u4ef6\u7684 TTPs (\u6218\u672f\u3001\u6280\u672f\u548c\u7a0b\u5e8f)\uff0c\u5305\u62ec\u5176\u5b8c\u6574\u7684\u653b\u51fb\u94fe\u3001MITRE ATT&CK \u6280\u672f\u6620\u5c04\u4ee5\u53ca\u5efa\u8bae\u7684\u9632\u5fa1\u63aa\u65bd\u3002", "modified": "2025-03-19T07:14:31.855000", "created": "2025-03-19T07:14:21.249000", "tags": [ "clearfake", "browserupdate", "javascript", "wateringhole", "blockchain" ], "references": [ "https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": "67d940dac8271dd8807e87b9", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "438 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://human-verify-4r.pro/xfiles/human.cpp", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://human-verify-4r.pro/xfiles/human.cpp", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780248230.700199 }