ClearFake: a newcomer to the “fake updates” threats landscape
By Quentin Bourgue&nbsp;and&nbsp;Sekoia TDR
Published: 2023-10-16 · Archived: 2026-04-05 23:04:00 UTC
ClearFake is a new malicious JavaScript framework deployed on compromised websites to deliver further
malware using the drive-by download technique. This blogpost aims at presenting a technical analysis of the
ClearFake installation flow, the malware delivered by ClearFake, the C2 infrastructure and tracking opportunities.
Table of contents
Introduction
ClearFake installation flow
Injected JavaScript code
Next stage JavaScript payloads
Fake update web page
Malware delivered by ClearFake
Suspicious filename
APPX file
Overview of HijackLoader
ClearFake C2 infrastructure and tracking opportunities
ClearFake C2 communications
Pivot on IP addresses
Conclusion
ClearFake IoCs & Technical Details
IoCs
ClearFake C2 domains
ClearFake IP addresses
ClearFake infection chain
MITRE ATT&CK TTPs
Annexes
Annex 1 – Injected Javascript codes
Annex 2 – Next stage payloads
External references
Introduction
On 26 August 2023, cybersecurity researcher Randy McEoin published1 an analysis of a new malicious
JavaScript framework deployed on compromised websites to deliver further malware using the drive-by
download technique. The newly discovered malware was named ClearFake due to the clear text JavaScript
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 1 of 20

injected into the compromised website, which was not obfuscated in the early version as is usually the case for
Javascript malware.
ClearFake is another “fake updates” threat leveraging social engineering to trick the user into running a
fake web browser update, as for SocGholish and FakeSG malware. By linking the “fake updates” lure to the
watering hole technique, ClearFake operators target a wide range of users and conduct effective, scalable
malware distribution campaigns.
From our telemetry and customers’ feedback, we observed an increasing number of communications to ClearFake
infrastructure at the end of September 2023. At the same time, we identified several hundred websites injected by
ClearFake.
Sekoia.io’s Threat & Detection Research (TDR) team investigated this emerging threat and shares in this blog post
our analysis of ClearFake, the malware delivered, as well as tracking opportunities.
ClearFake installation flow
Here is an overview of the infection chains’ stages observed distributing commodity malware via ClearFake:
ClearFake installation flow, as of 30 September 2023
Figure 1. ClearFake installation flow, as of 30 September 2023 (Click on the image for a better view)
Injected JavaScript code
ClearFake operators compromised WordPress sites, acting as water holes, to inject malicious JavaScript code into
the HTML page.
In the early ClearFake version, the injected code was base64-encoded JavaScript from a data-url attribute,
downloading another JavaScript payload from an attacker-owned domain (brewasigfi1978.workers[.]dev) and
executing it using the eval() function, e.g.:
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 2 of 20

Since 28 September 2023, to download the next stage, ClearFake have used a different technique, relying on
smart contract from the Binance Smart Chain. The result value of the requested smart contract contains an
obfuscated JavaScript, encoded in base64 and converted in hexadecimal.
Annex 1 includes the obfuscated and deobfuscated injected JavaScript used prior to and after 28 September 2023,
as well as an example of the response of the smart contract.
Next stage JavaScript payloads
The first payload is an obfuscated JavaScript aiming at downloading and executing the second payload. Here is an
example of the deobfuscated JavaScript using deobfuscate.io:
The first obfuscated payload is available in Annex 2.
The second payload is a clear-text JavaScript creating an iframe element to host the fake update interface and
to cover the entire document object model (DOM) of the web documents, setting:
the iframe width and height to 100%;
the z-index, an attribute specifying the stack order of the element, to 99999999999.
It then downloads the fake update interface. Here is an example of the second payload:
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 3 of 20

The third payload is an HTML page serving as a fake update interface and downloading the fake update content
for the appropriate web browser. An example of the third payload is provided in Annex 2.
The HTML page downloads the final fake update page (HTML) from the URL path stored in the HTML element
href and modified using the decoded value of the Javascript variable blank, e.g.
“/lander/firefox_1695214415/_index.php”.
Here is an example of the source code of the fake update page on urlscan:
https://urlscan.io/responses/a70b72efd8cd83f2b79cc9b9823112930e8ffa49edeb6bb5d2b1bbcabccefafb/
Fake update web page
The fake update page displays a realistic copy of the web browser download page for Chrome, Edge and Firefox,
as shown in the following figure.
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 4 of 20

https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 5 of 20

Figure 2. ClearFake fake update pages for Chrome, Edge and Firefox web browsers
It also contains JavaScript code aiming at fingerprinting the victims’ web browser and initiating the download
module. Here is an overview of the executing capabilities of the fake update page:
Import the jQuery library used by the following Javascript;
Define the infamous module named FingerprintJS2 aiming at generating unique fingerprints for browsers
based on various attributes and features. The module contains mathematical, fingerprint generation, utility,
feature detection functions, as well as audio and font fingerprinting;
Set the JavaScript onclick event for the download button;
Define functions related to handling cookies and extracting values from the URL parameters;
Generate the visitor fingerprint and exfiltrate it to “hxxps://stats-best[.]site/fp.php”;
Generate the download URL using “_lp”, “FPID”, “DownloadMouse”, “D” and “_token” parameters when
the onclick event is executed.
Malware delivered by ClearFake
On 30 September 2023, Sekoia.io analysts ran the infection chain until retrieving the final payload downloaded by
the victim.
Suspicious filename
For Microsoft Edge’s visitors, ClearFake delivered a malicious Windows Application Packaging Project (APPX
file) from Dropbox.
The payload’s name “MlсrоsоftЕdgеSеtup.appx” is a masquerading of the legitimate Microsoft Edge installer and
uses UTF-8 Cyrillic character for the characters “c”, “e”, “o” and “E”. Escaping unicode characters returns the
following result:
Ml\u0441r\u043Es\u043Eft\u0415dg\u0435S\u0435tup.appx
ASCII Unicode Name
с \u0441 Cyrillic Small Letter Es
e \u0435 Cyrillic Small Letter Ie
о \u043E Cyrillic Small Letter O
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 6 of 20

Е \u0415 Cyrillic Capital Letter Ie
Cyrillic characters are invisible to the user. Sekoia.io assess with high confidence that the use of lookalike
characters aims at avoiding static detection patterns based on the filename, without raising the potential
victim’s suspicions.
It is interesting to note that SocGholish operators successfully leveraged this technique in 2022, as identified
by Red Canary3. As this obfuscation method is not widely used, it is legitimate to ask ourselves if the SocGholish
operators are also behind the new ClearFake malware.
APPX file
Windows Apps are ZIP archive files that store executable files and other additional ones including XML
(AppxManifest.xml and AppxBlockMap.xml), P7X (AppxSignature.p7x), as well as other optional files and
repositories.
The APPX file delivered by ClearFake (MD5: a7900cdbb2912d76aa6329c5c41d8609) is signed by “STECH
CONSULTANCY LIMITED” and contains in particular the following executables:
\MlсrоsоftЕdgеSеtup\AI_STUBS\AiStubX64.exe (MD5: e89f448e8f41a590c51d34948bdc9c1e)
\MlсrоsоftЕdgеSеtup\VFS\AppData\.exe (MD5: d113b3debc7e0a2da4369dd8d1dbad53)
Once executed, the Windows App reads the APPX manifest’s entry point containing the AiStubX64 executable and
then executes it. The AiStubX64.exe process copies the KSPSService executable located in the Virtual File
System (VFS) and then launches it. The payload (KSPSService.exe) deployed by the APPX file turned out to
be a sample of HijackLoader. More technical information on this execution flow can be found in the Microsoft
documentation4 and FINSIN’s analysis5.
The APPX file also contains a legitimate Microsoft Edge installer (MicrosoftEdgeUpdateSetup.exe MD5:
58d8d75b0ca5e316862ed81cdb2d0c67) and a PowerShell script (chrome.ps1 MD5:
bfe16fc5d100757bd9dec4ef1aa42913), downloading a legitimate Edge installer from transfer[.]sh and executing
it. Both codes are executed when the user runs the Windows App file. Sekoia.io analysts believe that installing the
legitimate web browser alongside the malware once again avoids any suspicion from the victim.
As mentioned by SentinelOne6, APPX files are regularly used in malware campaigns to deploy the payload on the
infected host, including BazarBackdoor, Emotet or Magniber ransomware. Although this technique is not new,
Sekoia.io believes its use improves the rate of successful compromise by reducing the detection of the
malicious payload’s execution.
Overview of HijackLoader
First observed in the wild in July 2023 by Zscaler ThreatLabz7, HijackLoader is a modular loader downloading
and executing an obfuscated payload. It implements several evasion techniques, including code injection, use of
syscalls, Windows API hashing and Heaven’s gate. In recent months, HijackLoader delivered numerous
commodity malware, including Danabot, Lumma, Raccoon, Redline, Remcos, SystemBC and Vidar.
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 7 of 20

Once executed, the HijackLoader sample deployed through the APPX file downloads its obfuscated payload from
the adversary infrastructure “hxxps://server2-slabx.ocmtancmi2c5t[.]live/osmesis/1829973585.png”. The payload
loaded by HijackLoader is a Raccoon sample communicating with its Command & Control (C2) server
“128.140.101[.]125”.
In August 2023, Rapid7 observed8 that the new IDAT Loader malware was delivered by ClearFake. Based on
the code similarities between IDAT Loader and HijackLoader, and given the overlap in the C2 infrastructures,
Sekoia.io assess with high confidence that the same threat group operates both loaders.
ClearFake C2 infrastructure and tracking opportunities
ClearFake C2 communications
ClearFake stages use hardcoded URLs to download the next stage payloads from its C2 infrastructure. URL
patterns have not changed since the threat first appeared in July 2023.
The URLs observed on 30 September 2023 are:
hxxps://ojhggnfbcy62[.]com/vvmd54/
hxxps://ojhggnfbcy62[.]com/ZgbN19Mx
hxxps://ojhggnfbcy62[.]com/lander/firefox_1695214415/_index.php
Basic heuristics based on the URL pattern stem from the ClearFake C2 communications. Sekoia.io used similar
queries on urlscan:
page.url:”/vvmd54/”
page.url:”/ZgbN19Mx”
page.url.keyword:/.*\/lander\/(chrome|firefox|edge).*\/_index\.php/
Using urlscan and other URL scanning search engines, we retrieved 39 domain names:
921hapudyqwdvy[.]com
98ygdjhdvuhj[.]com
adqdqqewqewplzoqmzq[.]site
bgobgogimrihehmxerreg[.]site
boiibzqmk12j[.]com
bookchrono8273[.]com
borbrbmrtxtrbxrq[.]site
bpjoieohzmhegwegmmuew[.]online
cczqyvuy812jdy[.]com
ewkekezmwzfevwvwvvmmmmmmwfwf[.]site
gkrokbmrkmrxtmxrxr[.]space
indogervo22tevra[.]com
indogevro22tevra[.]com
ioiubby73b1n[.]com
oiuytyfvq621mb[.]org
ojhggnfbcy62[.]com
omdowqind[.]site
ooinonqnbdqnjdnqwqkdn[.]space
opkfijuifbuyynyny[.]com
opmowmokmwczmwecmef[.]site
owkdzodqzodqjefjnnejenefe[.]site
pklkknj89bygvczvi[.]com
poqwjoemqzmemzgqegzqzf[.]online
pwwqkppwqkezqer[.]site
reedx51mut[.]com
sioaiuhsdguywqgyuhiqw[.]org
sioaiuhsdguywqgyuhuiqw[.]org
ug62r67uiijo2[.]com
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 8 of 20

kjniuby621edoo[.]com
komomjinndqndqwf[.]store
lminoeubybyvq[.]com
nbvyrxry216vy[.]com
ngvcfrttgyu512vgv[.]net
nmbvcxzasedrt[.]com
oekofkkfkoeefkefbnhgtrq[.]space
oiouhvtybh291[.]com
oiqwbuwbwqznjqsdfsfqhf[.]site
oiuugyfytvgb22h[.]com
vcrwtttywuuidqioppn1[.]com
vvooowkdqddcqcqcdqggggl[.]site
weomfewnfnu[.]site
wffewiuofegwumzowefmgwezfzew[.]site
wnimodmoiejn[.]site
wsexdrcftgyy191[.]com
ytntf5hvtn2vgcxxq[.]com
zasexdrc13ftvg[.]com
ziucsugcbfyfbyccbasy[.]com
znqjdnqzdqzfqmfqmkfq[.]site
Pivot on IP addresses
By pivoting on the IP addresses resolving the previous attacker-owned domains, we listed the following C2
servers that we assess with high confidence as being exclusively associated with the ClearFake infrastructure.
109.248.206[.]49
109.248.206[.]83
109.248.206[.]101
109.248.206[.]118
109.248.206[.]196
135.181.211[.]230
5 of them belong to the autonomous system (AS) “YACOLO-AS” (AS203493) located in Russia, and the last one
belongs to the HETZNER AS (AS24940), favoured by numerous threat actors.
For all C2 servers, the common name (CN) of the TLS certificates exposed on port 443 is
“921hapudyqwdvy.com”, allowing us to unveil the ClearFake infrastructure using scanning search engines, such as
Shodan or Censys. Sekoia.io used a similar query on Shodan to identify and proactively track the ClearFake C2
infrastructure:
ssl:”921hapudyqwdvy.com”
ClearFake operators run the Keitaro traffic distribution system (TDS) on C2 servers to protect their
infrastructure that hosts malicious content and to select the targeted traffic.
TDR believes that ClearFake operators are likely to improve the stealth of malware C2 communication in
the near future. They could also harden their C2 server configuration, to prevent their infrastructure from being
so easily illuminated.
Conclusion
First seen in the wild in July 2023, ClearFake is another “fake updates” threat that quickly became
widespread due to the effective lure targeting a wide audience, as well as the watering hole technique used to
distribute the malware via numerous compromised websites.
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 9 of 20

Given the ongoing development and the use of cutting-edge techniques, such as the blockchain technology to
store malicious payloads, this threat must be closely monitored by organisations, as the malware delivered by
ClearFake can be used to gain access to the victim’s network.
The tactics, techniques and procedures leveraged by the ClearFake operators overlap with those of
SocGholish ones (tracked as TA569), in particular the use of watering holes, “fake updates” lures, Keitaro TDS,
Dropbox file hosting service and the masquerading of filename with cyrillic characters. Considering this,
Sekoia.io further assess ClearFake and SocGholish are possibly operated by the same threat group.
Gathering additional evidence may help to confirm or refute this hypothesis.
To provide our customers with actionable intelligence, we will continue to monitor the evolution of ClearFake and
other malware it delivers.
ClearFake IoCs & Technical Details
IoCs
The list of IoCs is available on Sekoia.io github repository.
ClearFake C2 domains
921hapudyqwdvy[.]com
98ygdjhdvuhj[.]com
adqdqqewqewplzoqmzq[.]site
bgobgogimrihehmxerreg[.]site
boiibzqmk12j[.]com
bookchrono8273[.]com
borbrbmrtxtrbxrq[.]site
bpjoieohzmhegwegmmuew[.]online
brewasigfi1978[.]workers[.]dev
cczqyvuy812jdy[.]com
ewkekezmwzfevwvwvvmmmmmmwfwf[.]site
gkrokbmrkmrxtmxrxr[.]space
indogervo22tevra[.]com
indogevro22tevra[.]com
ioiubby73b1n[.]com
kjniuby621edoo[.]com
komomjinndqndqwf[.]store
lminoeubybyvq[.]com
nbvyrxry216vy[.]com
ngvcfrttgyu512vgv[.]net
nmbvcxzasedrt[.]com
oekofkkfkoeefkefbnhgtrq[.]space
oiouhvtybh291[.]com
oiuytyfvq621mb[.]org
ojhggnfbcy62[.]com
omdowqind[.]site
ooinonqnbdqnjdnqwqkdn[.]space
opkfijuifbuyynyny[.]com
opmowmokmwczmwecmef[.]site
owkdzodqzodqjefjnnejenefe[.]site
pklkknj89bygvczvi[.]com
poqwjoemqzmemzgqegzqzf[.]online
pwwqkppwqkezqer[.]site
reedx51mut[.]com
sioaiuhsdguywqgyuhiqw[.]org
sioaiuhsdguywqgyuhuiqw[.]org
stats-best[.]site
ug62r67uiijo2[.]com
vcrwtttywuuidqioppn1[.]com
vvooowkdqddcqcqcdqggggl[.]site
weomfewnfnu[.]site
wffewiuofegwumzowefmgwezfzew[.]site
wnimodmoiejn[.]site
wsexdrcftgyy191[.]com
ytntf5hvtn2vgcxxq[.]com
zasexdrc13ftvg[.]com
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 10 of 20

oiqwbuwbwqznjqsdfsfqhf[.]site
oiuugyfytvgb22h[.]com
ziucsugcbfyfbyccbasy[.]com
znqjdnqzdqzfqmfqmkfq[.]site
ClearFake IP addresses
109.248.206[.]49
109.248.206[.]83
109.248.206[.]101
109.248.206[.]118
109.248.206[.]196
135.181.211[.]230
ClearFake infection chain
IoC Description
hxxps://hello-world-broken-dust-1f1c.brewasigfi1978.workers[.]dev/
Download
URL of the
first
JavaScript
payload
hxxps://ojhggnfbcy62[.]com/vvmd54/
Download
URL of the
second
JavaScript
payload
hxxps://ojhggnfbcy62[.]com/ZgbN19Mx
Download
URL of the
first HTML
payload
hxxps://ojhggnfbcy62[.]com/lander/firefox_1695214415/index.php
Download
URL of the
second
HTML
payload
hxxps://stats-best[.]site/fp.php
C2 URL for
the
fingerprinting
data
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 11 of 20

IoC Description
hxxp://ojhggnfbcy62[.]com/?
_lp=1&_token=uuid_1ubo22l1dqqlm_1ubo22l1dqqlm6518291d817043.55797095
Redirect
URL to the
HijackLoader
payload
(APPX)
hxxps://www.dropbox[.]com/e/scl/fi/6gtsp3qjf54lsec0piwvq/Ml-r-s-ft-dg-S-tup.appx?rlkey=hdm3apoi4n31v2rxruiosvtaa&dl=1
Download
URL of the
HijackLoader
payload
(APPX)
b583d86c4abc6d6ca57bde802b7e9d8143a249aed6a560a4626e79ae13f6209d
HijackLoader
payload
(APPX)
d60d4da2cfe120138a3fde66694b40ae2710cfc2af33cb7810b3a0e9b1663a4f
HijackLoader
paylaod
(EXE)
hxxps://server2-slabx.ocmtancmi2c5t[.]live/osmesis/1829973585.png
HijackLoader
hosting
payload URL
ocmtancmi2c5t[.]live
HijackLoader
hosting
payload
domain
128.140.101[.]125
Raccoon C2
server
MITRE ATT&CK TTPs
Tactic Technique
Resource Development T1584 – Compromise Infrastructure
Execution T1059.007 – Command and Scripting Interpreter: JavaScript
Initial Access T1189 – Drive-by Compromise
Defense Evasion T1027 – Obfuscated Files or Information
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 12 of 20

Tactic Technique
Defense Evasion T1132.001 – Data Encoding: Standard Encoding
Defense Evasion T1036 – Masquerading
Defense Evasion T1140 – Deobfuscate/Decode Files or Information
Command and Control T1041 – Exfiltration Over C2 Channel
Command and Control T1071.001 – Application Layer Protocol: Web Protocols
Command and Control T1105 – Ingress Tool Transfer
Annexes
The ClearFake scripts are available on Sekoia.io github repository.
Annex 1 – Injected Javascript codes
Injected JavaScript used before 28 September 2023:
The script decodes to:
Injected JavaScript used since 28 September 2023:
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 13 of 20

The script decodes to:
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 14 of 20

Response of the Binance Smart Chain:
Annex 2 – Next stage payloads
First next stage payload downloaded by the injected JavaScript from the Binance Smart Chain:
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 15 of 20

https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 16 of 20

https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 17 of 20

The script decodes to:
Third next stage payload serving as a fake update interface and downloading the fake update content:
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 18 of 20

External references
1. [Randy McEoin’s blog] ClearFake Malware Analysis ↩︎
2. [NPM] @fingerprintjs/fingerprintjs ↩︎
3. [Red Canary] Threat – SocGholish ↩︎
4. [Microsoft Community Hub] Deploying local application data in a Desktop Bridge app with Advanced
Installer ↩︎
5. [FINSIN] Infección en sitio web de e-commerce chileno ↩︎
6. [SentinelOne] Inside Malicious Windows Apps for Malware Deployment ↩︎
7. [Zscaler] Technical Analysis of HijackLoader ↩︎
8. [Rapid7] Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers ↩︎
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 19 of 20

Thank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please
contact us on tdr[at]sekoia.io.
Feel free to read other TDR analysis here :
Share
CTI Cybercrime Malware
Share this post:
Source: https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/
Page 20 of 20