New ClearFake Campaign Leveraging Proxy Execution to Run PowerShell Commands via Trusted Window Feature

   January 22, 2026  Posted in CyberSecurityNews

New ClearFake Campaign Leveraging Proxy Execution to Run PowerShell Commands via Trusted Window Feature

ClearFake has entered a new and more dangerous phase, turning a familiar fake CAPTCHA scam into a highly evasive malware delivery chain.

Across hundreds of hacked websites, visitors now see what looks like a routine verification challenge, but behind the scenes the page is preparing to launch hidden code.

Victims only need to follow simple keyboard steps, such as pressing Win + R and paste, for the attack to begin.

This ClearFake wave matters because it blends social engineering with so‑called living off the land tactics, abusing tools already built into Windows as a trusted Windows feature instead of dropping obvious malware files.

By shifting its infrastructure onto blockchain smart contracts and a popular content delivery network, the operation also avoids many domain and IP blocklists that defenders rely on.

Expel analysts and researchers identified this latest evolution while tracking ClearFake’s JavaScript framework across compromised sites and examining the new loader stages.

google

The team linked the campaign to a traffic distribution system that has likely pushed malware to close to 150,000 systems, based on unique IDs stored in a public smart contract visible on the BNB Smart Chain test network.

A graph detailing the number of infections per day since the smart contract was created (Source - Expel)
A graph detailing the number of infections per day since the smart contract was created (Source – Expel)

ClearFake’s operators use the Ethereum‑style contract as a resilient command center, updating encoded JavaScript that infected pages fetch through public Web3 endpoints.

Abusing a Trusted Windows Script for Proxy Execution

This design, combined with hosting later‑stage payloads on jsDelivr, a widely used CDN, means every external touchpoint in the chain sits on services defenders are reluctant to block.

The business impact is clear: a user completing what appears to be a harmless CAPTCHA can unknowingly grant attackers code execution on a trusted corporate endpoint, with little or no trace left on disk.

From there, follow‑on payloads can steal data, deploy additional malware, or provide remote access, all while hiding behind normal‑looking network traffic and legitimate Windows components.

A map detailing the geographical distribution of systems infected in the past week (Source - Expel)
A map detailing the geographical distribution of systems infected in the past week (Source – Expel)

At the heart of the new technique is SyncAppvPublishingServer.vbs, a legitimate script in the Windows System32 folder that ships as part of App‑V management.

After the users click 'I’m not a robot' they’re presented with the social engineering lure (Source - Expel)
After the users click ‘I’m not a robot’ they’re presented with the social engineering lure (Source – Expel)

ClearFake’s fake CAPTCHA instructs users to open the Run dialog, where the clipboard holds a carefully crafted command that passes a malicious argument into this script.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link