The OCRFix campaign is a multi-stage malware attack delivered through a sophisticated phishing campaign that impersonates the legitimate Tesseract OCR project. Attackers use typosquatting domains closely resembling the legitimate Tesseract OCR domain to trick victims into downloading malicious payloads. The campaign employs ClickFix, a technique that manipulates user clicks to initiate malware downloads, combined with EtherHiding, a novel defense evasion method that leverages the BNB Smart Chain TestNet blockchain to obscure command and control (C2) domains within smart contracts, making detection and takedown more difficult. The malware deployment chain consists of three stages: an initial loader that executes on the victim's machine, a secondary loader that establishes persistence, and a bot listener that connects to a remote control panel. This control panel enables attackers to manage infected hosts, deploy additional malware, and potentially orchestrate botnet activities. The campaign uses heavy obfuscation and anti-analysis techniques to evade detection by traditional security tools. Indicators of compromise include numerous file hashes, suspicious URLs, and typosquatted domains. While no active exploits have been observed in the wild, the campaign's use of blockchain for C2 domain hiding and multi-stage loaders represents an evolution in malware delivery and evasion tactics. The attack chain leverages common phishing methods but combines them with advanced technical mechanisms, underscoring the need for layered defenses.

This threat poses a medium-level risk with potentially significant impacts on confidentiality, integrity, and availability for affected organizations. Successful infection can lead to unauthorized remote control of compromised systems, enabling attackers to deploy additional malware, exfiltrate sensitive data, or incorporate infected hosts into a botnet for further malicious activities such as distributed denial-of-service (DDoS) attacks or spam campaigns. The use of blockchain-based domain hiding complicates detection and mitigation efforts, potentially prolonging infection duration and increasing operational impact. Organizations with users susceptible to phishing or those lacking robust endpoint detection capabilities are at higher risk. The persistence mechanisms and multi-stage loaders increase the difficulty of complete eradication once infected. Although no known exploits are currently active in the wild, the campaign's sophistication suggests it could be adapted for broader or more damaging attacks, especially targeting organizations relying on OCR technologies or related software. The stealth and evasion techniques may also allow attackers to maintain long-term access, increasing the risk of data breaches and operational disruption.

1. Implement advanced phishing defenses including user training focused on recognizing typosquatting domains and suspicious email content. 2. Deploy email filtering solutions that detect and block phishing attempts leveraging typosquatting and ClickFix techniques. 3. Monitor network traffic for connections to suspicious domains and URLs identified in the indicators, especially those related to the BNB Smart Chain TestNet. 4. Utilize endpoint detection and response (EDR) tools capable of identifying multi-stage loaders and obfuscated malware behaviors. 5. Conduct regular threat hunting exercises focusing on the hashes and domains associated with OCRFix to identify potential infections early. 6. Restrict execution of unknown or unsigned binaries and scripts, particularly those downloaded from email or web sources. 7. Employ DNS filtering and domain reputation services to block access to known malicious typosquatted domains. 8. Monitor blockchain activity related to smart contracts used for C2 domain hiding to detect emerging threats. 9. Maintain up-to-date backups and incident response plans to enable rapid recovery if infection occurs. 10. Collaborate with threat intelligence providers to receive timely updates on new indicators and tactics related to this campaign.