Cybersecurity threats continue to evolve in sophistication, making detection and mitigation ever more challenging for defenders. Among emerging threats, ClearFake stands out as an adaptable and evasive malware delivery framework that has recently adopted advanced living-off-the-land (LOTL) techniques — leveraging trusted system capabilities to mask malicious behavior and evade detection. In a January 2026 threat intelligence report, Expel researchers detailed how ClearFake has become significantly more evasive by abusing legitimate infrastructure and executing code without leaving typical malware footprints.
This article explores the technical mechanisms behind ClearFake’s infection chain, how LOTL tactics enhance stealth, and what defenders should know to protect systems.
What Is ClearFake?
ClearFake is a malicious JavaScript framework deployed on compromised websites to distribute malware to unsuspecting visitors. Operated by one or more threat actors, the framework injects malicious scripts into legitimate web pages, which then display deceptive prompts — often taking the form of fake CAPTCHA challenges or browser update notices — to socially engineer users into executing harmful commands.
Historically, ClearFake campaigns targeted users with fake browser update pages or error messages, tricking them into downloading malware or running PowerShell scripts. The framework has been observed across thousands of compromised sites, exploiting common content management system vulnerabilities to insert its code.
Living-Off-The-Land (LOTL): An Overview
Before delving into ClearFake’s techniques, it is important to understand LOTL concepts. LOTL attacks exploit trusted tools and features already present in an operating system — such as PowerShell or built-in Windows executables — to perform malicious actions. By abusing legitimate capabilities, threat actors can significantly reduce the likelihood of detection by security software that primarily identifies anomalous or third-party executable files.
In traditional malware attacks, attackers deliver executables or scripts that are flagged by antivirus solutions. In LOTL scenarios, no malicious binary is downloaded; instead, scripts are executed in memory or run through trusted binaries, leaving fewer forensic artifacts. This fileless approach complicates detection, often requiring behavior-based analysis to uncover threats.
Technical Anatomy of the ClearFake Infection
JavaScript Injection and Obfuscation
ClearFake begins its infection chain by injecting a malicious JavaScript payload directly into the HTML of compromised websites. Rather than referencing external scripts, this injected code is often encoded in Base64, obscuring its function and making initial detection harder. Once decoded, the JavaScript remains obfuscated, masking its true intent.
A key innovation in recent ClearFake campaigns is the use of blockchain-based hosting for payload activation. The JavaScript executes a function that retrieves additional code from a BNB (Binance Smart Chain) smart contract. This technique, sometimes referred to as EtherHiding, allows the threat actor to store second-stage payloads in a decentralized, immutable environment that cannot easily be taken down.
Smart Contract as Command and Control
Once the Base64-encoded script is decoded, the malicious JavaScript calls a function (via an RPC endpoint) on a smart contract deployed on the blockchain. This contract holds the next stage of the malware in encoded form. The JavaScript decodes and executes this retrieved payload in the browser context.
Smart contract functions are used to set and get arbitrary data, with get() being accessible by anyone but set() restricted to the contract owner — meaning only the attacker can update malicious content. This arrangement provides a takedown-resistant channel for hosting evolving payloads without depending on traditional malicious domains.
Social Engineering with Fake CAPTCHAs
Once the secondary script executes, it displays a fake CAPTCHA or browser interaction prompt to the user. In the ClearFake campaign detailed by Expel, these prompts instruct users to press Win + R to open the Windows Run dialog, then paste a command from their clipboard and press Enter. This keyboard automation technique is central to the campaign’s social engineering component.
Behind the scenes, the webpage has already placed a malicious command into the user’s clipboard. When the victim follows the prompt, this command runs via the Run dialog, launching legitimate tools such as PowerShell or other system binaries — thereby initiating the next stage of the attack without the user knowingly downloading an executable.
Proxy Execution: A New LOTL Twist
One of the most troubling evolutions in ClearFake’s technique is its use of proxy execution — a LOTL method that abuses trusted system components to indirectly execute malicious PowerShell commands with minimal suspicion.
In the recent ClearFake campaigns, the malicious clipboard command does not call PowerShell directly. Instead, it leverages a legitimate Windows Script File, such as SyncAppvPublishingServer.vbs, located in C:\Windows\System32. This script is meant for synchronizing App-V environments but contains a command injection weakness.
By passing specially crafted arguments containing a semicolon and malicious PowerShell code to this script, the threat actor causes it to launch PowerShell in hidden mode with arbitrary commands. Because the execution originates from a trusted Windows component, many security tools are less likely to flag it as suspicious.
This proxy execution attack effectively hides the malicious PowerShell process behind a legitimate parent process — reducing visibility to endpoint detection systems, which often prioritize suspicious parent-child relationships in process trees.
CDN Abuse and Evading URL Blocklists
Another noteworthy evolution in ClearFake’s toolkit is the use of content delivery networks (CDNs) like jsDelivr to host malicious assets. Since jsDelivr is a widely used and reputable CDN, blocking its domains outright would disrupt legitimate functionality for many applications. Threat actors thus abuse this trusted infrastructure to serve malicious scripts while evading network-based filtering and URL blocklists.
By distributing malicious payloads through well-known CDNs, ClearFake reduces its reliance on easily blacklisted infrastructure, further complicating detection and response efforts.
Why These Techniques Matter
ClearFake’s adoption of LOTL and related evasive tactics reflects a broader trend in cyber threats: attackers increasingly seek to blend malicious behaviors with legitimate system functions. The result is attacks that are:
- Harder to detect by signature-based security tools. LOTL techniques leave fewer file artifacts and avoid known malicious executable signatures.
- More resilient to takedown. Blockchain and CDN usage allow attackers to host and update payloads on trusted infrastructure.
- More deceptive. Social engineering prompts that appear legitimate exploit user trust to initiate malicious actions.
Mitigation and Defense Strategies
To defend against ClearFake and similar LOTL-oriented threats, organizations should:
- Strengthen browser and web gateway protections to detect and block malicious JavaScript behaviors.
- Implement application-whitelisting and PowerShell execution policies that restrict unauthorized script execution.
- Monitor for anomalous use of trusted system binaries such as proxy execution of PowerShell via Windows scripts.
- Apply heuristics-based detection focusing on behavior patterns rather than static signatures.
- Educate users about social engineering tactics, especially concerning prompts that ask them to run commands or make system changes.
Conclusion
ClearFake’s latest living-off-the-land techniques demonstrate how modern malware campaigns evolve to evade detection by abusing legitimate tools and infrastructure. By combining JavaScript obfuscation, blockchain-based payload hosting, CDN abuse, and proxy execution, ClearFake represents a sophisticated threat that challenges traditional defensive postures.
Security teams must anticipate these advanced tactics and deploy both technical controls and user awareness initiatives to detect and mitigate such stealthy threats. Only a multi-layered defense strategy can keep pace with the evolving threat landscape that ClearFake exemplifies.
