Back

ClearFake Campaign Uses Smart Contracts for C&C on BSC Testnet

Severity: High (Score: 70.5)

Sources: Feeds.Trendmicro, labs.guard.io, thehackernews.com, Trendmicro

Published: 2026-05-26 · Updated: 2026-05-26

Keywords: smart, contracts, clearfake, testnet, chain, plain, sight

Severity indicators: pla

Summary

In May 2026, TrendAI™ Research reported on a cyber intrusion involving the ClearFake campaign, where threat actors utilized the EtherHiding technique to deliver payloads via smart contracts on the BNB Smart Chain testnet. This method allowed for the storage of routing instructions within immutable blockchain contracts, making them resistant to takedown efforts. The attack culminated in the deployment of two stealers, SectopRAT and ACRStealer, alongside an on-chain execution tracker that monitored victim compromises in real time. The injected JavaScript on compromised websites queried these contracts to facilitate the attack. This technique, first documented by Guardz in October 2023, has been adopted by North Korean state actors, indicating a growing trend in blockchain-based command-and-control operations. The analysis highlighted that the entire payload was stored on-chain, allowing for direct execution in victims' browsers without external hosting. The incident underscores the evolving landscape of cyber threats leveraging decentralized technologies. Key Points: • ClearFake campaign uses EtherHiding to deliver payloads via BNB Smart Chain smart contracts. • Two stealers, SectopRAT and ACRStealer, were deployed in this multi-stage attack. • The technique allows for payloads to be stored on-chain, bypassing traditional security measures.

Detailed Analysis

**Impact** The campaign targeted employees browsing legitimate recreational websites, leading to multi-stage compromises including credential theft and remote access trojans. The attack affected at least one known organization monitored by TrendAI Vision One™ MDR, with potential broader exposure due to the public nature of the smart contracts on the BNB Smart Chain testnet. Data at risk includes browser credentials and potentially sensitive operational information accessed via the deployed stealers SectopRAT and ACRStealer. No specific sectors or geographic regions beyond the victim organization were detailed. **Technical Details** The attack used the EtherHiding technique, embedding full JavaScript payloads within immutable BNB Smart Chain testnet smart contracts to deliver ClearFake malware. Initial access was via a compromised watering hole website injecting JavaScript that queried four distinct smart contracts deployed from wallet 0xd71f4cdC84420d2bd07F50787B4F998b4c2d5290. The payload chain culminated in simultaneous deployment of SectopRAT and ACRStealer stealers and an on-chain execution tracker confirming victim compromise in real time. No CVEs or traditional exploit details were provided; the attack relied on blockchain-based C&C and client-side execution. **Recommended Response** Defenders should monitor for JavaScript injection on websites, especially those serving recreational content, and inspect client-side calls to BNB Smart Chain testnet contracts for anomalous eth_call requests. Deploy detections for SectopRAT and ACRStealer malware indicators and restrict browser credential access where possible. Harden web filtering to detect script-based C&C that does not rely on URLs and monitor blockchain addresses associated with the deployer wallet. No patch or CVE mitigation is applicable; focus on behavioral detection and network monitoring.

Source articles (4)

  • Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet — Feeds.Trendmicro · 2026-05-26
    TrendAI™ Research analyzed an intrusion where threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. The attack chain…
  • Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet — Trendmicro · 2026-05-26
    TrendAI™ Research analyzed an intrusion where threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. The attack chain…
  • Etherhiding Hiding Web2 Malicious Code In Web3 Smart Contracts 65ea78efad16 — labs.guard.io · 2026-05-26
    “EtherHiding” presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the level of Bullet-Proof Hosting. Over t…
  • North Korean Hackers Use Etherhiding To — thehackernews.com · 2026-05-26

Timeline

  • 2023-10-01 — EtherHiding technique documented: Guardz reported on the EtherHiding technique, enabling payload delivery through smart contracts.
  • 2025-10-01 — North Korean actors adopt EtherHiding: Google confirmed that North Korean state actors began using the EtherHiding technique for cyber operations.
  • 2026-05-26 — TrendAI Research analyzes ClearFake intrusion: TrendAI reported on the ClearFake campaign using smart contracts for payload delivery on the BSC testnet.

Related entities

  • Unc5342 (Apt Group)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Trojan (Attack Type)
  • ClearFake (Malware)
  • ACRStealer (Malware)
  • Amadey (Malware)
  • Lumma (Malware)
  • RedLine (Malware)
  • SecTopRAT (Malware)
  • address.it (Domain)
  • blockchain.it (Domain)
  • bsc-testnet-rpc.publicnode.com (Domain)
  • ip-info.ff.avast.com (Domain)
  • mc.yandex.ru (Domain)
  • registry.npmjs.org (Domain)
  • 0xd71f4cdC84420d2bd07F50787B4F998b4c2d5290 (Eth)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1056 - Input Capture (Mitre Attack)
  • T1059.004 - Unix Shell (Mitre Attack)
  • T1059.006 - Python (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1189 - Drive-by Compromise (Mitre Attack)
  • T1555.003 - Credentials From Web Browsers (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • Binance (Company)
  • Ethereum (Company)
  • Cloudflare (Company)
  • BNB Smart Chain (Platform)
  • MacOS (Platform)
  • Solidity (Platform)
  • Windows (Platform)
  • WordPress (Platform)
  • Binance Smart Chain (Platform)
  • Cloudflare Workers (Platform)
  • Google Chrome (Tool)
  • BSCScan (Tool)
  • Curl (Tool)
  • Python (Tool)
  • Rundll32 (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed