Clearfake

Malware updated 14 days ago (2024-11-08T13:21:38.986Z)

Download STIX

Preview STIX

ClearFake is a malicious software, or malware, that has been identified as a significant threat to cybersecurity. Its primary method of propagation is through fake browser updates, encouraging users to copy and execute harmful PowerShell commands. This deceptive approach enables cybercriminals to infiltrate user devices, often without their knowledge. Once inside the system, ClearFake can steal personal information, disrupt operations, or hold data hostage for ransom. The campaign predominantly targets macOS systems with an information-stealing malware named AMOS. The ClearFake campaign was widely identified in April, compromising legitimate websites with malicious HTML and JavaScript under the guise of browser update activities. This strategy allows it to evade detection and gain unauthorized access to user's systems. The malware has been linked to another malware campaign known as ClickFix. However, according to various analysts, despite some similarities, there are numerous differences between these two campaigns, indicating they are likely separate activity clusters. Furthermore, it's important to note that ClearFake is part of a broader trend of bad actors manipulating red-team tools to evade detection. These tools, typically used by cybersecurity professionals to test system vulnerabilities, are being co-opted for malicious purposes. The increasing sophistication of such tactics underscores the importance of ongoing vigilance and advanced security measures to protect against evolving cybersecurity threats.

Description last updated: 2024-11-05T22:02:48.325Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Amos is a possible alias for Clearfake. AMOS is a malicious software (malware) specifically designed to target macOS systems. First identified in early 2023, it has been associated with campaigns such as the ClearFake campaign, which spread the AMOS information stealer across macOS devices. This malware is particularly dangerous due to it	3
Socgholish is a possible alias for Clearfake. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof	3
Atomic Stealer is a possible alias for Clearfake. The Atomic Stealer is a type of malware that poses a significant threat to macOS devices. This malicious software infiltrates systems, often unbeknownst to the user, through suspicious downloads, emails, or websites. Once installed, it has the potential to steal personal information, disrupt operati	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Payload

Chrome

Safari

Macos

Malwarebytes

Wordpress

Scam

PowerShell

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Vextrio Threat Actor is associated with Clearfake. Vextrio, a significant threat actor in the cybercrime landscape, has been uncovered as a major traffic broker for cybercriminals by Check Point Research's January 2024 Most Wanted Malware report. The group operates Vextrio Viper, a Traffic Distribution System (TDS) network established in 2020, which	Unspecified	2

Source Document References

Information about the Clearfake Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	16 days ago	ClickFix Exploits Users with Fake Errors and Malicious Code
DARKReading	a month ago	Fake WordPress Plug-ins Infect Sites With Infostealers
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	5 months ago	Cut & Paste Tactics Import Malware to Unwitting Victims
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 465 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 464 by Pierluigi Paganini
Securityaffairs	8 months ago	Security Affairs newsletter Round 463 by Pierluigi Paganini