s1
--:--:--UTC

Searching APEX

Starting…

  1. Searching Threats, IOCs & Threat Intelligence locally
  2. Querying external providers
  3. Asking AI Forensic Validator
  4. Creating new entry from validated hit

0s elapsed

TF-1829990 high

📛 Threat Title

ClearFake: Domain name that delivers a malware payload ifvtbgbf.maharatmodiran.xyz

Category: ClearFake Published: Source updated: First seen: Last updated: Source: ThreatFox IOCs

Description

Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-11 05:52:03 UTC. Reporter: anonymous. Tags: ClearFake.

Remediations (10)

  • ClearFake's New Widespread Variant: Increased Web3 Exploitation for ...
    web:blog.sekoia.io

    ClearFake's New Widespread Variant: Increased Web3 Exploitation for Malware Delivery ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique. When it first emerged in July 2023, the injected code was designed to display a fake...

  • ClearFake Uses BSC Testnet Smart Contracts for Takedown-Resistant ...
    web:cybersecuritynews.com

    ClearFake malware abused blockchain smart contracts and hacked websites to deliver stealthy, hard-to-stop infections.

  • New Clearfake Variant Leverages Fake reCAPTCHA To Trick Users Deliver ...
    web:cybersecuritynews.com

    Sekoia researchers noted that the ClearFake infrastructure includes over 9,300 compromised websites, with thousands of users potentially exposed to these malicious lures every day. The use of blockchain technology for malware delivery represents an emerging threat that makes traditional mitigation and blocking significantly more challenging.

  • IOC Alert: ClearFake Payload Delivery Infrastructure
    web:darkwebinformer.com

    A domain -based indicator has been identified delivering ClearFake JavaScript malware . The domain is flagged for phishing and payload delivery activity and is associated with malicious script injection campaigns designed to trick users into interacting with fraudulent browser updates or phishing pages.

  • ClearFake gets more evasive with new living off the land (LOTL ...
    web:expel.com

    ClearFake is a malware campaign which displays fake CAPTCHA challenges across hundreds of hacked websites. The fake CAPTCHA challenges use social engineering to lure visitors into installing malware . Recently, the campaign has adopted much more evasive tactics such as leveraging Proxy Execution to run PowerShell commands via a trusted Window ...

  • ClearFake Infects 9,300 Sites, Uses Fake reCAPTCHA and Turnstile to ...
    web:thehackernews.com

    ClearFake malware infects 9,300+ websites, using fake reCAPTCHA and Web3 tactics to spread Lumma and Vidar Stealers, exposing 200,000+ users.

  • ThreatFox | ClearFake
    web:threatfox.abuse.ch

    ThreatFox Database Indicators of Compromise (IOCs) on ThreatFox are associated with a certain malware fas. A malware sample can be associated with only one malware family. The page below gives you an overview on indicators of compromise associated with js. clearfake . You can also get this data through the ThreatFox API. Database Entry

  • ClearFake Campaign - Delivering Malware via "Fake Browser Updates
    web:www.bridewell.com

    By using watering-hole style attacks, the ClearFake campaign aims to deliver malicious payloads through execution of malicious JavaScript commands, delivered to legitimate, compromised websites through WordPress vulnerabilities and plugins. We have outlined recommendations to ensure that organisations are protected against this threat.

  • ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval
    web:www.darktrace.com

    ClearFake is a campaign observed using a malicious JavaScript framework deployed on compromised websites, impacting sectors such as e‑commerce, travel, and automotive. First identified in mid‑2023, ClearFake is frequently leveraged to socially engineer victims into installing fake web browser updates.

  • The Rapid Evolution of CLEARFAKE Delivery - kroll.com
    web:www.kroll.com

    Key Takeaways Kroll continues to observe a rapid evolution in how CLEARFAKE is delivering payloads to victims across all sectors. Clusters of evolved techniques include the use of data/time obfuscation to create filenames as well as variations of MSHTA usage. Despite the evolution, there remains a number of key themes that can assist in detection and mitigation of this threat, including ...

Indicators of Compromise (1)

Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.

domain ifvtbgbf.maharatmodiran.xyz

IOC database

Type
domain
Value
ifvtbgbf.maharatmodiran.xyz
First seen
Last seen
Attached to this threat
Appears in
1 threat
Description
Domain name that delivers a malware payload attributed to ClearFake

Open the full IOC page →

Threat Hunt — feed corroboration

Not present in any configured threat-intel feed.

Details From VirusTotal

No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.

References (2)

  • Malpedia profile ThreatFox IOCs
  • ThreatFox IOC page ThreatFox IOCs

    Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-11 05:52:03 UTC. Reporter: anonymous. Tags: ClearFake.

AI Forensic Analysis

Only Available for Registered Users. Sign in to view.