TF-1825284 high

Description

Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-08 23:23:56 UTC. Reporter: anonymous. Tags: ClearFake.

• ClearFake: a newcomer to the "fake updates" threats landscape
  web:blog.sekoia.io

  ClearFake is a new malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. This blogpost aims at presenting a technical analysis of the ClearFake installation flow, the malware delivered by ClearFake , the C2 infrastructure and tracking opportunities.

  2026-06-09 01:34 UTC
• ClearFake Variant Exploits Fake reCAPTCHA to Deliver Malicious ...
  web:cyberpress.org

  A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA and Cloudflare Turnstile challenges to deceive users into executing malicious PowerShell commands. This evolution marks a significant escalation in the threat's capabilities, as it continues to exploit Web3 technologies for malware delivery.

  2026-06-09 01:34 UTC
• New Clearfake Variant Leverages Fake reCAPTCHA To Trick Users Deliver ...
  web:cybersecuritynews.com

  Sekoia researchers noted that the ClearFake infrastructure includes over 9,300 compromised websites, with thousands of users potentially exposed to these malicious lures every day. The use of blockchain technology for malware delivery represents an emerging threat that makes traditional mitigation and blocking significantly more challenging.

  2026-06-09 01:34 UTC
• IOC Alert: ClearFake Payload Delivery Infrastructure
  web:darkwebinformer.com

  A domain -based indicator has been identified delivering ClearFake JavaScript malware . The domain is flagged for phishing and payload delivery activity and is associated with malicious script injection campaigns designed to trick users into interacting with fraudulent browser updates or phishing pages.

  2026-06-09 01:34 UTC
• ClearFake gets more evasive with new living off the land (LOTL ...
  web:expel.com

  ClearFake's latest campaign uses fake CAPTCHAs and social engineering trick victims into installing malware , and it's getting more evasive.

  2026-06-09 01:34 UTC
• ClearFake Malicious Framework Updates Tactics with Binance ... - RH-ISAC
  web:rhisac.org

  Context Sekoia researchers have released updates on ClearFake , a malicious JavaScript framework that infects compromised websites to deliver malware through drive-by downloads and social engineering tactics. Initially observed in July 2023, ClearFake utilized fake browser update prompts to trick users into downloading malware .

  2026-06-09 01:34 UTC
• ClearFake Infects 9,300 Sites, Uses Fake reCAPTCHA and Turnstile to ...
  web:thehackernews.com

  ClearFake malware infects 9,300+ websites, using fake reCAPTCHA and Web3 tactics to spread Lumma and Vidar Stealers, exposing 200,000+ users.

  2026-06-09 01:34 UTC
• What to Know About New ClearFake Variant "ClickFix"
  web:www.packetlabs.net

  A new ClearFake variant deceives victims with fake reCAPTCHA challenges and bypasses with smart-contract ABIs tricking users into running PowerShell malware . Learn how it works and how to defend.

  2026-06-09 01:34 UTC

Indicators of Compromise (1)

Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.

References (2)

• Malpedia profile ThreatFox IOCs
• ThreatFox IOC page ThreatFox IOCs

  Indicator that identifies a malware distribution server (payload delivery). IOC type: Domain name that delivers a malware payload. Attributed malware: ClearFake. Confidence: 100. First seen: 2026-06-08 23:23:56 UTC. Reporter: anonymous. Tags: ClearFake.

Only Available for Registered Users. Sign in to view.