ClearFake gets more evasive with new living off the land (LOTL) techniques

ClearFake is a widespread, highly evasive JavaScript-based malware campaign that compromises websites to display fake CAPTCHA social-engineering lures; the injected code dynamically retrieves staged payloads from BNB smart contracts (EtherHiding), then uses clipboard-pasted commands to execute in-memory PowerShell fetched via a CDN. The actors employ proxy execution by abusing SyncAppvPublishingServer.vbs to evade EDRs, track infections via blockchain-stored UUIDs (≈149,199 submissions), and frequently rotate hosting, making detection and takedown difficult; the report includes smart contract addresses, wallet, and payload URL IOCs and defensive recommendations.