A new malware campaign named ClearFake is turning a routine security verification into a trap, according to Expel’s analysis. The attackers lure visitors with fake CAPTCHA prompts and social engineering techniques, prompting users to press Win + R, then Ctrl + V, and Enter to run a malicious PowerShell command copied to the clipboard.
Rather than executing directly, the malware uses Proxy Execution to run code via a trusted Windows component, specifically the SyncAppvPublishingServer[.]vbs script, enabling PowerShell to run in hidden mode and evade detection. The operation also employs EtherHiding to host payloads on the Binance Smart Chain, storing Base64 encoded JavaScript in smart contracts and retrieving it via public APIs, a takedown‑resistant approach described by researchers.
To further dodge security products, the campaign has started using jsDelivr to host parts of its code, and the infection footprint is sizeable, with nearly 150,000 systems estimated to have been infected since August 2025. The January 2026 Expel analysis notes that the campaign is highly sophisticated and evasive. according to Expel