ClearFake Malware Exploits Proxy Execution to Run Malicious PowerShell Commands via Trusted Windows Feature

The latest ClearFake variant illustrates a growing trend where threat actors weaponize trusted Windows utilities to slip past endpoint detection. By exploiting a command‑injection flaw in SyncAppvPublishingServer.vbs, the malware launches PowerShell in hidden mode, avoiding the alerts typically triggered by direct calls to powershell.exe or mshta.exe. This proxy execution method leverages the script’s legitimate digital signature, making it difficult for signature‑based defenses to discriminate malicious activity from normal system operations.

Beyond the local execution trick, ClearFake’s command‑and‑control infrastructure is anchored in blockchain technology, a strategy often dubbed EtherHiding. Smart contracts on the BNB Smart Chain testnet store Base64‑encoded payloads that are fetched and decoded on infected hosts. Because blockchain data is immutable and publicly accessible, takedown requests to traditional hosting providers are ineffective, granting the campaign a resilient foothold and enabling it to serve a diverse portfolio of secondary malware to its rented traffic network.

Defending against this hybrid threat requires a layered approach. Organizations should block unnecessary Web3 RPC endpoints, enforce strict allow‑lists for scripts like SyncAppvPublishingServer.vbs, and monitor for anomalous command‑line arguments containing semicolons. PowerShell execution policies should be tightened for non‑administrative users, and security awareness training must highlight the danger of unsolicited CAPTCHA challenges that request Run‑dialog commands. By combining network‑level controls with endpoint hardening and user education, enterprises can disrupt both the proxy execution vector and the blockchain‑based C2 pipeline.