{
	"id": "85b11314-e026-4f2d-a434-6bc5f6b06557",
	"created_at": "2026-04-06T00:17:05.887553Z",
	"updated_at": "2026-04-10T03:19:56.430425Z",
	"deleted_at": null,
	"sha1_hash": "99a13cc0c687e63842d05c27f7ef70f34d6a181a",
	"title": "CLEARFAKE Update Tricks Victim into Executing Malicious PowerShell Code",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 267774,
	"plain_text": "CLEARFAKE Update Tricks Victim into Executing Malicious\r\nPowerShell Code\r\nBy Ryan Hicks\r\nPublished: 2024-07-05 · Archived: 2026-04-05 22:24:02 UTC\r\nCLEARFAKE is the term used to describe the malicious in-browser JavaScript framework deployed on\r\ncompromised webpages as part of drive-by compromise campaigns to deliver information stealers. It has the\r\npotential to impact all sectors.\r\nAlthough the CLEARFAKE fake browser update campaign (which was initially identified in Q2 2023) originally\r\ntargeted Windows users, it expanded to macOS users in Q4 2023. CLEARFAKE’s technique involves tricking\r\nusers into initiating fake updates, ultimately leading to the installation of malicious payloads on their systems. The\r\nfake updates are often browser-related update prompts (Chrome or Safari) that appear on compromised websites\r\nthrough the use of JavaScript injections.\r\nTTP Context\r\nOngoing Use of Binance EtherHiding Technique\r\nThe CLEARFAKE campaign begins with a user browsing to a compromised webpage, typically a WordPress site.\r\nThere appears to be no forced social engineering to persuade users to navigate to the compromise webpage, rather\r\nacting as a drive-by compromise waiting for users to land on the page.\r\nInitially observed in 2023, this technique of fetching and presenting the fake updates prompt involves using\r\nEthers, a JavaScript library, alongside BNB Smart Chain (BSC), the smart contact system for the BNB\r\ncryptocurrency. BNB is a cryptocurrency created by Binance. Essentially, the threat actor stores a contract object\r\nthat contains the malicious code on the BSC. The threat actor leverages this technique to store their malicious\r\ncode on the BSC and allow for programmatical retrieval via the Binance endpoint.\r\nThe threat actor then embeds a simple JavaScript function on the compromised website (usually in a template that\r\nwould get loaded by all pages). This code uses the Ethers library to obtain a copy of this object from the BSC,\r\nwhich they treat as code and run with the JavaScript. \r\nOnce the request is made using the Ethers library, the victim's browser initiates a POST request to the BSC using\r\nJSON RPC with the following response format with an encoded string at the end (truncated for ease of viewing):\r\n\"{\"jsonrpc\":\"2.0\",\"id\":44,\"result\":\"0x000000000000000[....]\"\r\nThis response contains the actor-controlled domain address for the delivery of the payload that identifies and\r\nexecutes on the browser, displaying the correct language and fake browser iframe to the victim.\r\nhttps://www.kroll.com/en/insights/publications/cyber/clearfake-update-tricks-victim-executing-malicious-powershell-code\r\nPage 1 of 4\n\nMay 2024 Update - User Interaction to Launch PowerShell\r\nIn May 2024, Kroll observed a new method that CLEARFAKES uses to trick users into running malicious code\r\non behalf of the threat actors, bypassing the initial download of files that would have previously conducted\r\nmalicious activity. In these cases, Kroll observed the victim being redirected to a malicious webpage (in the\r\nformat “{domain}/lander/powershell/index.html\", which is disguised as a browser error. Although it has a similar\r\ntheme to previous fake update iframes, the decrease in quality of the lure is notable, where it does not appear to\r\nmimic any legitimate error that Chrome would produce.\r\nThe error itself suggests that there is something wrong with displaying the webpage. When the user clicks “How\r\nto fix,” an additional screen appears with instructions. This includes asking the user to click the copy button\r\n(copying the PowerShell code), open PowerShell from the start menu and run the code. Kroll noted that shortly\r\nafter browsing to the webpage, the victim did open PowerShell from the Start Menu, correlating with these\r\ninstructions and initializing the compromise.\r\nInitial Browser Error Screen\r\nhttps://www.kroll.com/en/insights/publications/cyber/clearfake-update-tricks-victim-executing-malicious-powershell-code\r\nPage 2 of 4\n\nFollow-On Browser Error Screen With Instructions to Victim\r\nKroll has observed several variations to the PowerShell code that is run by the victim, likely due to slight changes\r\nover time. In all cases, the long string copied by the user first spawns ipconfig.exe to flush the DNS on the local\r\nmachine. It then changes the value of the clipboard to blank at $BRW (effectively deleting the copied code from\r\nthe clipboard). The bulk of the executed code is held within the $CRT variable as a base64 encoded string.\r\nFollowing Actions - Infostealer Activity\r\nFollowing CLEARFAKE initial access actions, the information stealer phase of the compromise begins. Kroll\r\nobserved the use of netsh for information discovery as well as the creation of an AutoIT script file, which accessed\r\ncredentials, browser information and queried the local device for anti-virus (AV) product information. Several\r\nnetwork connections were attempted to be made to malicious domains, likely to upload retrieved data and further\r\nexecutables were created with the AutoIT script for additional capabilities for the information stealer.\r\nAnalysis\r\nThis change in tactics to a more direct approach in getting a victim to manually run code is likely an effort to\r\nevade existing detections and reduce the number of files required during initial infection. Traditionally, fake\r\nbrowser updates would download an archive file that may contain an EXE, JavaScript or LNK file which would\r\nbe run by the victim. However, getting the user to copy and paste PowerShell code reduces the risk for a threat\r\nactor of AV or EDR technologies stopping them immediately.\r\nhttps://www.kroll.com/en/insights/publications/cyber/clearfake-update-tricks-victim-executing-malicious-powershell-code\r\nPage 3 of 4\n\nThe action of a user opening PowerShell from the Start Menu (spawning from explorer.exe) is also less likely to\r\nappear suspicious when compared to PowerShell being spawned from an executable or script file.\r\nCLEARFAKE Mitre ATT\u0026CK TTPs\r\nT1189 - Drive-By Compromise\r\nT1102 - Web Service\r\nT1059.001 - Command and Scripting Interpreter: PowerShell\r\nT1027.010 - Obfuscated Files or Information: Command Obfuscation\r\nT1059.007 - Command and Scripting Interpreter: Javascript\r\nDetections and Mitigations\r\nIdentify suspicious PowerShell cmdlets and strings being executed (noting a likelihood of false positives):\r\nInvoke-WebRequest\r\nFromBase64String\r\nInvoke-Expression\r\nAlert to and/or block network connections to the following domains:\r\nbsc-dataseed.binance[.]org\r\nbsc-dataseed1.binance[.]org\r\nbsc-dataseed2.binance[.]org\r\nbsc-dataseed3.binance[.]org\r\nbsc-dataseed4.binance[.]org\r\nMonitor for command arguments containing .au3 files\r\nAlert for connections to .xyz domains (commonly observed during recent campaign)\r\nAlert for connections to “*/lander/powershell/index.html” which typically has been observed as the\r\nCLEARFAKE popup webpage.\r\nSource: https://www.kroll.com/en/insights/publications/cyber/clearfake-update-tricks-victim-executing-malicious-powershell-code\r\nhttps://www.kroll.com/en/insights/publications/cyber/clearfake-update-tricks-victim-executing-malicious-powershell-code\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/clearfake-update-tricks-victim-executing-malicious-powershell-code"
	],
	"report_names": [
		"clearfake-update-tricks-victim-executing-malicious-powershell-code"
	],
	"threat_actors": [],
	"ts_created_at": 1775434625,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99a13cc0c687e63842d05c27f7ef70f34d6a181a.pdf",
		"text": "https://archive.orkl.eu/99a13cc0c687e63842d05c27f7ef70f34d6a181a.txt",
		"img": "https://archive.orkl.eu/99a13cc0c687e63842d05c27f7ef70f34d6a181a.jpg"
	}
}