What is ClearFake?
As threat actors evolve their techniques to exploit victims and breach target networks, the ClearFake campaign has emerged as a significant illustration of this continued adaptation. ClearFake is a campaign observed using a malicious JavaScript framework deployed on compromised websites, impacting sectors such as e‑commerce, travel, and automotive. First identified in mid‑2023, ClearFake is frequently leveraged to socially engineer victims into installing fake web browser updates.
In ClearFake compromises, victims are steered toward compromised WordPress sites, often positioned by attackers through search engine optimization (SEO) poisoning. Once on the site, users are presented with a fake CAPTCHA. This counterfeit challenge is designed to appear legitimate while enabling the execution of malicious code. When a victim interacts with the CAPTCHA, a PowerShell command containing a download string is retrieved and executed.
Attackers commonly abuse the legitimate Microsoft HTML Application Host (MSHTA) in these operations. Recent campaigns have also incorporated Smart Chain endpoints, such as “bsc-dataseed.binance[.]org,” to obtain configuration code. The primary payload delivered through ClearFake is typically an information stealer, such as Lumma Stealer, enabling credential theft, data exfiltration, and persistent access [1].
Darktrace’s Coverage of ClearFake
Darktrace / ENDPOINT first detected activity likely associated with ClearFake on a single device on over the course of one day on November 18, 2025. The system observed the execution of “mshta.exe,” the legitimate Microsoft HTML Application Host utility. It also noted a repeated process command referencing “weiss.neighb0rrol1[.]ru”, indicating suspicious external activity. Subsequent analysis of this endpoint using open‑source intelligence (OSINT) indicated that it was a malicious, domain generation algorithm (DGA) endpoint [2].
![The process line referencing weiss.neighb0rrol1[.]ru, as observed by Darktrace / ENDPOINT.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/697c82e78da2d2ce709ae48c_unknown.avif)
This activity indicates that mshta.exe was used to contact a remote server, “weiss.neighb0rrol1[.]ru/rpxacc64mshta,” and execute the associated HTA file to initiate the next stage of the attack. OSINT sources have since heavily flagged this server as potentially malicious [3].
The first argument in this process uses the MSHTA utility to execute the HTA file hosted on the remote server. If successful, MSHTA would then run JavaScript or VBScript to launch PowerShell commands used to retrieve malicious payloads, a technique observed in previous ClearFake campaigns. Darktrace also detected unusual activity involving additional Microsoft executables, including “winlogon.exe,” “userinit.exe,” and “explorer.exe.” Although these binaries are legitimate components of the Windows operating system, threat actors can abuse their normal behavior within the Windows login sequence to gain control over user sessions, similar to the misuse of mshta.exe.
EtherHiding cover
Darktrace also identified additional ClearFake‑related activity, specifically a connection to bsc-testnet.drpc[.]org, a legitimate BNB Smart Chain endpoint. This activity was triggered by injected JavaScript on the compromised site www.allstarsuae[.]com, where the script initiated an eth_call POST request to the Smart Chain endpoint.
![Example of a fake CAPTCHA on the compromised site www.allstarsuae[.]com.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/697c8366f0bb2cc1b6d45b83_unknown.avif)
EtherHiding is a technique in which threat actors leverage blockchain technology, specifically smart contracts, as part of their malicious infrastructure. Because blockchain is anonymous, decentralized, and highly persistent, it provides threat actors with advantages in evading defensive measures and traditional tracking [4].
In this case, when a user visits a compromised WordPress site, injected base64‑encoded JavaScript retrieved an ABI string, which was then used to load and execute a contract hosted on the BNB Smart Chain.
![JavaScript hosted on the compromised site www.allstaruae[.]com.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/697c86643749feb018e9c675_161%208361%2C.avif)
Conducting malware analysis on this instance, the Base64 decoded into a JavaScript loader. A POST request to bsc-testnet.drpc[.]org was then used to retrieve a hex‑encoded ABI string that loads and executes the contract. The JavaScript also contained hex and Base64‑encoded functions that decoded into additional JavaScript, which attempted to retrieve a payload hosted on GitHub at “github[.]com/PrivateC0de/obf/main/payload.txt.” However, this payload was unavailable at the time of analysis.
![Darktrace’s detection of the POST request to bsc-testnet.drpc[.]org.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/697c86886decd09446e998af_unknown.avif)
Autonomous Response
As Darktrace’s Autonomous Response capability was enabled on this customer’s network, Darktrace was able to take swift mitigative action to contain the ClearFake‑related activity early, before it could lead to potential payload delivery. The affected device was blocked from making external connections to a number of suspicious endpoints, including 188.114.96[.]6, *.neighb0rrol1[.]ru, and neighb0rrol1[.]ru, ensuring that no further malicious connections could be made and no payloads could be retrieved.
Autonomous Response also acted to prevent the executable mshta.exe from initiating HTA file execution over HTTPS from this endpoint by blocking the attempted connections. Had these files executed successfully, the attack would likely have resulted in the retrieval of an information stealer, such as Lumma Stealer.
Conclusion
ClearFake continues to be observed across multiple sectors, but Darktrace remains well‑positioned to counter such threats. Because ClearFake’s end goal is often to deliver malware such as information stealers and malware loaders, early disruption is critical to preventing compromise. Users should remain aware of this activity and vigilant regarding fake CAPTCHA pop‑ups. They should also monitor unusual usage of MSHTA and outbound connections to domains that mimic formats such as “bsc-dataseed.binance[.]org” [1].
In this case, Darktrace was able to contain the attack before it could successfully escalate and execute. The attempted execution of HTA files was detected early, allowing Autonomous Response to intervene, stopping the activity from progressing. As soon as the device began communicating with weiss.neighb0rrol1[.]ru, an Autonomous Response inhibitor triggered and interrupted the connections.
As ClearFake continues to rise, users should stay alert to social engineering techniques, including ClickFix, that rely on deceptive security prompts.
Credit to Vivek Rajan (Senior Cyber Analyst) and Tara Gould (Malware Research Lead)
Edited by Ryan Traill (Analyst Content Lead)
Appendices
Darktrace Model Detections
Process / New Executable Launched
Endpoint / Anomalous Use of Scripting Process
Endpoint / New Suspicious Executable Launched
Endpoint / Process Connection::Unusual Connection from New Process
Autonomous Response Models
Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block
List of Indicators of Compromise (IoCs)
- weiss.neighb0rrol1[.]ru – URL - Malicious Domain
- 188.114.96[.]6 – IP – Suspicious Domain
- *.neighb0rrol1[.]ru – URL – Malicious Domain
MITRE Tactics
Initial Access, Drive-by Compromise, T1189
User Execution, Execution, T1204
Software Deployment Tools, Execution and Lateral Movement, T1072
Command and Scripting Interpreter, T1059
System Binary Proxy Execution: MSHTA, T1218.005
References
1. https://www.kroll.com/en/publications/cyber/rapid-evolution-of-clearfake-delivery
2. https://www.virustotal.com/gui/domain/weiss.neighb0rrol1.ru
4. https://www.packetlabs.net/posts/etherhiding-a-new-tactic-for-hiding-malware-on-the-blockchain/
