Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Threat actors used smart contracts on the BNB Smart Chain testnet to create an immutable command-and-control infrastructure leveraging the EtherHiding technique. The attack started with JavaScript injected into a compromised Swiss website, which queried blockchain contracts to deliver malicious payloads. Victims who passed anti-analysis checks were fingerprinted and routed to social engineering overlays. The campaign deployed SectopRAT, a . NET remote access trojan, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. Four smart contracts linked to a single deployer wallet indicate a long-running and actively maintained operation. No patch or remediation guidance is available, and no known exploits in the wild have been reported.
AI Analysis
Technical Summary
This threat involves the use of smart contracts on the BNB Smart Chain testnet as a persistent command-and-control (C&C) infrastructure by threat actors. They exploited the EtherHiding technique to embed ClearFake payload routing instructions within these contracts, making the C&C infrastructure immutable and resistant to takedown. The initial infection vector was JavaScript injected into a compromised Swiss website, which queried the blockchain contracts to retrieve malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and redirected to platform-specific ClickFix social engineering overlays. The malware deployed includes SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker provided real-time compromise confirmation. The presence of four smart contracts deployed by the same wallet, with the oldest nearly a year old, suggests a sustained and actively maintained campaign. No official patch or remediation is documented.
Potential Impact
The threat enables persistent and immutable command-and-control infrastructure via blockchain smart contracts, complicating takedown efforts. It facilitates delivery of multiple malware families, including a remote access trojan and an infostealer targeting sensitive credentials and cryptocurrency wallets. Victims are fingerprinted and subjected to social engineering overlays, increasing the risk of credential theft and session hijacking. The long-running nature of the operation indicates ongoing risk to users interacting with compromised websites and blockchain environments.
Mitigation Recommendations
No official patch or remediation guidance is available for this threat. Since the command-and-control infrastructure is hosted on immutable blockchain smart contracts, takedown is not feasible. Defenders should focus on preventing initial infection vectors such as compromised websites and malicious JavaScript injection. Monitoring for indicators of compromise related to SectopRAT and ACRStealer and educating users about social engineering overlays may help reduce impact. Check the referenced vendor advisory for any updates on mitigation.
Indicators of Compromise
- domain: afraid.veloitall.cfd
- domain: afraid.veloitall.cfd
- domain: root-cul.xamir3on.lat
- domain: ohn.stainedunstitch.work
- domain: ohn.stainedunstitch.work
- domain: getcfgs.qen9varol.lat
- domain: ootid.srv-auth-dlt-msh.in.net
- domain: ootid.srv-auth-dlt-msh.in.net
- hash: 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d
- hash: 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d
- hash: 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910
- hash: 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910
- hash: a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885
- hash: a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885
- domain: put34b.camp
- domain: ren.trytoken.life
- domain: ren.trytoken.life
- domain: www.badischwaendi.ch
- domain: www.badischwaendi.ch
- hash: 4d63c25457d3d5bd37bcf7c3d10154e6
- hash: 6691ffa5af2d4d3b3dea04e69185a79d
- hash: 7405da969d14833a77b4049b3b6a39b9
- hash: 0eb9241b1530549c258537d647d2723879508778
- hash: 4f72551703b84ae70b0837a97523c66b21c538e6
- hash: b654603260e52faefd9b5b1aad1ca4bd233f9167
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
Description
Threat actors used smart contracts on the BNB Smart Chain testnet to create an immutable command-and-control infrastructure leveraging the EtherHiding technique. The attack started with JavaScript injected into a compromised Swiss website, which queried blockchain contracts to deliver malicious payloads. Victims who passed anti-analysis checks were fingerprinted and routed to social engineering overlays. The campaign deployed SectopRAT, a . NET remote access trojan, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. Four smart contracts linked to a single deployer wallet indicate a long-running and actively maintained operation. No patch or remediation guidance is available, and no known exploits in the wild have been reported.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves the use of smart contracts on the BNB Smart Chain testnet as a persistent command-and-control (C&C) infrastructure by threat actors. They exploited the EtherHiding technique to embed ClearFake payload routing instructions within these contracts, making the C&C infrastructure immutable and resistant to takedown. The initial infection vector was JavaScript injected into a compromised Swiss website, which queried the blockchain contracts to retrieve malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and redirected to platform-specific ClickFix social engineering overlays. The malware deployed includes SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker provided real-time compromise confirmation. The presence of four smart contracts deployed by the same wallet, with the oldest nearly a year old, suggests a sustained and actively maintained campaign. No official patch or remediation is documented.
Potential Impact
The threat enables persistent and immutable command-and-control infrastructure via blockchain smart contracts, complicating takedown efforts. It facilitates delivery of multiple malware families, including a remote access trojan and an infostealer targeting sensitive credentials and cryptocurrency wallets. Victims are fingerprinted and subjected to social engineering overlays, increasing the risk of credential theft and session hijacking. The long-running nature of the operation indicates ongoing risk to users interacting with compromised websites and blockchain environments.
Mitigation Recommendations
No official patch or remediation guidance is available for this threat. Since the command-and-control infrastructure is hosted on immutable blockchain smart contracts, takedown is not feasible. Defenders should focus on preventing initial infection vectors such as compromised websites and malicious JavaScript injection. Monitoring for indicators of compromise related to SectopRAT and ACRStealer and educating users about social engineering overlays may help reduce impact. Check the referenced vendor advisory for any updates on mitigation.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html"]
- Adversary
- null
- Pulse Id
- 6a15ba2632bd7e246e9c1250
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainafraid.veloitall.cfd | — | |
domainafraid.veloitall.cfd | — | |
domainroot-cul.xamir3on.lat | — | |
domainohn.stainedunstitch.work | — | |
domainohn.stainedunstitch.work | — | |
domaingetcfgs.qen9varol.lat | — | |
domainootid.srv-auth-dlt-msh.in.net | — | |
domainootid.srv-auth-dlt-msh.in.net | — | |
domainput34b.camp | — | |
domainren.trytoken.life | — | |
domainren.trytoken.life | — | |
domainwww.badischwaendi.ch | — | |
domainwww.badischwaendi.ch | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d | — | |
hash46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d | — | |
hash9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910 | — | |
hash9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910 | — | |
hasha5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885 | — | |
hasha5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885 | — | |
hash4d63c25457d3d5bd37bcf7c3d10154e6 | MD5 of 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d | |
hash6691ffa5af2d4d3b3dea04e69185a79d | MD5 of a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885 | |
hash7405da969d14833a77b4049b3b6a39b9 | MD5 of 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910 | |
hash0eb9241b1530549c258537d647d2723879508778 | SHA1 of a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885 | |
hash4f72551703b84ae70b0837a97523c66b21c538e6 | SHA1 of 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910 | |
hashb654603260e52faefd9b5b1aad1ca4bd233f9167 | SHA1 of 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d |
Threat ID: 6a16f9b4e29bf47b50c0d5fe
Added to database: 5/27/2026, 2:03:32 PM
Last enriched: 5/27/2026, 3:21:26 PM
Last updated: 5/27/2026, 3:22:11 PM
Views: 34
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.