ClearFake Campaign Uses Smart Contracts for C&C on BSC Testnet
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
In May 2026, TrendAI™ Research reported on a cyber intrusion involving the ClearFake campaign, where threat actors utilized the EtherHiding technique to deliver payloads via smart contracts on the BNB Smart Chain testnet. This method allowed for the storage of routing instructions within immutable blockchain contracts, making them resistant to takedown efforts. The attack culminated in the deployment of two stealers, SectopRAT and ACRStealer, alongside an on-chain execution tracker that monitored victim compromises in real time. The injected JavaScript on compromised websites queried these contracts to facilitate the attack. This technique, first documented by Guardz in October 2023, has been adopted by North Korean state actors, indicating a growing trend in blockchain-based command-and-control operations. The analysis highlighted that the entire payload was stored on-chain, allowing for direct execution in victims' browsers without external hosting. The incident underscores the evolving landscape of cyber threats leveraging decentralized technologies.
Key Points: • ClearFake campaign uses EtherHiding to deliver payloads via BNB Smart Chain smart contracts. • Two stealers, SectopRAT and ACRStealer, were deployed in this multi-stage attack. • The technique allows for payloads to be stored on-chain, bypassing traditional security measures.