Fake reCAPTCHA and Turnstile Used to Spread Info-Stealers
A new wave of cyber threats has emerged as the ClearFake malware campaign continues to spread rapidly. The campaign, known for using fake reCAPTCHA and Cloudflare Turnstile verifications, has infected over 9,300 websites, tricking users into downloading malicious software such as Lumma Stealer and Vidar Stealer.
Evolution of the ClearFake Campaign
Initially identified in July 2023, ClearFake exploits compromised WordPress sites to distribute malware under the guise of web browser updates. The attackers also employ EtherHiding, a technique leveraging Binance Smart Chain (BSC) contracts to evade detection and maintain attack persistence.
As of May 2024, the campaign introduced ClickFix, a social engineering ploy that deceives users into executing PowerShell commands to resolve fake technical issues. By integrating Web3 capabilities, ClearFake has become more resistant to security analysis, encrypting ClickFix-related HTML code and evolving into a multi-stage attack.
How the Attack Works
Victims visiting an infected website unknowingly load intermediate JavaScript code from BSC, which fingerprints their system and retrieves encrypted ClickFix code hosted on Cloudflare Pages. If executed, the malicious PowerShell command delivers Emmental Loader (aka PEAKLIGHT), which then installs Lumma Stealer.
Ongoing Threat and Widespread Infections
Security researchers at Sekoia observed an alternate attack chain in January 2025, where ClearFake distributed Vidar Stealer through a PowerShell loader. The campaign remains highly active, with daily updates to its framework, lures, and malware payloads.
In July 2024, an estimated 200,000 unique users were potentially exposed to ClearFake lures. Additionally, over 100 auto dealership websites were compromised via a third-party video service, marking a notable instance of a supply chain attack.
Related Phishing Campaigns and Emerging Threats
The rise of social engineering tactics continues, with several phishing campaigns pushing malware and harvesting credentials:
- Using virtual hard disk (VHD) files in email attachments to distribute Venom RAT.
- Exploiting a Microsoft Excel vulnerability (CVE-2017-0199) to launch AsyncRAT and Remcos RAT.
- Targeting misconfigured Microsoft 365 tenants to create admin accounts, bypass email security, and steal credentials.
Mitigation and Protection Strategies
As cybercriminals refine their techniques, organizations must strengthen their defenses against Adversary-in-the-Middle (AitM) and Browser-in-the-Middle (BitM) attacks. Google-owned Mandiant warns that BitM frameworks can compromise any website in seconds, making it difficult for victims to distinguish between legitimate and malicious sites.
To stay protected:
- Avoid downloading browser updates from unverified sources.
- Enable multi-factor authentication (MFA) and security monitoring.
- Implement strong email security filters to block phishing attempts.
- Regularly audit websites and third-party services for vulnerabilities.
As ClearFake continues to evolve, vigilance and proactive security measures remain crucial in defending against this persistent malware campaign.
