Immutable Malice: How the ClearFake Campaign Leverages BSC Smart Contracts for Resilient C2
A recent analysis of the ClearFake campaign reveals a sophisticated evolution in command-and-control (C2) architecture: the use of BNB Smart Chain (BSC) testnet smart contracts to host malicious logic. By moving their operations onto the blockchain, these actors have created a C2 infrastructure that is effectively immune to traditional takedown efforts like domain seizure or hosting provider intervention.
In a conventional malware lifecycle, attackers rely on domains and IP addresses that defenders can sinkhole or block. ClearFake breaks this pattern by embedding malicious JavaScript and stage-two payloads directly within blockchain storage. Because the blockchain is a distributed ledger, this data is replicated across thousands of nodes globally; once written, it cannot be altered or deleted by any central authority.
Furthermore, the choice of the BSC testnet is a strategic move to minimize operational overhead. Testnet tokens carry no real-world monetary value and are readily available, allowing attackers to deploy and iterate on their infrastructure at zero cost.
The Attack Chain: From Injection to On-Chain Retrieval
The infection vector typically begins with a compromised web asset. An attacker injects a base64-encoded JavaScript loader directly into the site’s source code. Unlike traditional loaders that reach out to a suspicious URL to fetch a payload, this loader remains “silent” to network-level security tools. Instead, it initiates a standard eth_call request via JSON-RPC to a specific BSC smart contract.
This method allows the script to retrieve the next-stage payload directly from the blockchain’s state. This bypasses almost all URL-based reputation filtering and DNS-layer security, as there is no external “malicious domain” to flag.
According to TrendAI Research, this represents a significant upgrade over previous “EtherHiding” techniques. While earlier iterations merely stored links to malicious files on the blockchain, ClearFake stores the entire payload on-chain. Once the browser fetches the data, the malicious code executes entirely within the client-side environment.

To increase the “quality” of their targets, the script includes environmental awareness checks. It performs anti-analysis routines to detect sandbox environments and filters traffic originating from localhost or private IP ranges (RFC 1918), ensuring the malware only triggers on genuine user systems.
Social Engineering and Dual-Payload Delivery
Once a victim passes the initial vetting, the campaign utilizes highly targeted social engineering. The payload delivery is bifurcated based on the host operating system:
- Windows Users: These targets are hit with a “ClickFix” overlay—a deceptive prompt designed to mimic a Google reCAPTCHA. This is a sophisticated form of clipboard hijacking, where the user is tricked into running a command that executes the malware.
- macOS Users: These users encounter a tailored version of the lure that instructs them to interact with the Terminal, facilitating the execution of malicious scripts.
The campaign simultaneously deploys two specialized payloads:
- SectopRAT: A .NET-based Remote Access Trojan (RAT) designed for deep browser exploitation. It enables attackers to hijack active sessions in Chrome or Edge, allowing them to bypass multi-factor authentication (MFA) by stealing session tokens.
- ACRStealer: A high-performance C++ utility focused on data exfiltration. It targets sensitive assets including browser credentials, cryptocurrency wallets, messaging app data, and VPN/FTP configurations.

On Windows, the malware often utilizes fileless execution or DLL sideloading to maintain a low profile. On macOS, the infection chain relies on curl-based download and execution sequences.
On-Chain Execution Tracking
Perhaps the most ingenious aspect of this campaign is the use of a fourth smart contract acting as a real-time execution tracker. This contract functions as a ledger of successful infections. By storing victim identifiers (derived from public IP addresses) directly on the blockchain, the attackers can monitor the effectiveness of their campaign without needing a centralized dashboard.
The malware checks this contract before presenting the social engineering lure. If the contract indicates the system has already been infected, the lure is suppressed, preventing redundant infections and reducing the noise that might alert security researchers.

TrendAI identified that all four smart contracts are linked to a single deployer wallet. The longevity of this operation—active from at least May 2025 through May 2026—proves that blockchain-based C2 is a mature, maintained, and highly effective method for long-term persistence.
Defensive Implications
The technical simplicity of these contracts—essentially acting as key-value stores with set and get functions—makes them incredibly easy for attackers to manage. An attacker can update a payload via a single transaction, and every infected node globally will receive the updated instruction instantly.
This evolution marks a fundamental shift in cyber warfare. As threat actors move toward decentralized and immutable platforms, traditional infrastructure-based defense (blocking IPs and domains) is becoming less effective. Defenders must pivot toward behavioral detection, robust endpoint monitoring (EDR), and advanced client-side protections to identify the subtle signs of on-chain communication and post-exploitation activity.