TrendAI Research described an EtherHiding campaign that used BNB Smart Chain testnet smart contracts to deliver ClearFake payloads and route victims to Windows and macOS-specific stages. The attack ended with SectopRAT and ACRStealer deployment and used an on-chain execution tracker to confirm compromises in real time. #EtherHiding #ClearFake #SectopRAT #ACRStealer #BNBSmartChain
Keypoints
- Threat actors hid ClearFake payload-routing logic inside BNB Smart Chain testnet smart contracts using EtherHiding.
- The blockchain-based delivery chain was immutable, decentralized, and free to operate on the testnet, making takedown difficult.
- Stage 1 used injected JavaScript on a compromised WordPress site to query Smart Contract A via eth_call and retrieve the next payload.
- Anti-analysis checks blocked headless browsers, localhost/private IP ranges, and sandbox-like environments before payload routing continued.
- Windows victims received a ClickFix overlay that led to clipboard-based command execution, remote DLL loading, and browser credential theft activity.
- macOS victims were routed to a separate payload that used a bash one-liner, spoofed a macOS user agent, and added Yandex Metrika tracking.
- The campaign deployed SectopRAT and ACRStealer, while Smart Contract D recorded victim execution confirmations on-chain in real time.
MITRE Techniques
- [T1059.007 ] JavaScript â Used as the initial injected loader and blockchain query mechanism in the compromised website (âan injected JavaScript loader into compromised websitesâ and âthe injected JavaScript on compromised websites queried these contractsâ).
- [T1027 ] Obfuscated Files or Information â The Stage 1 script used string-array rotation and runtime shuffling to hide its logic (âThe obfuscation uses a standard anti-static-analysis techniqueâ).
- [T1497.001 ] Virtualization/Sandbox Evasion: System Checks â The script checked for headless browsers, automation frameworks, and zero-sized windows to avoid analysis (ânavigator.webdriver === trueâ, âHeadlessChromeâ, âPuppeteerâ, âPlaywrightâ).
- [T1036 ] Masquerading â The malware used a fake Google reCAPTCHA/ClickFix overlay and blended FileZilla-like paths to appear legitimate (âa convincing Google reCAPTCHA lookalikeâ and âchosen to blend with the legitimate FileZilla FTP clientâ).
- [T1105 ] Ingress Tool Transfer â Payloads and scripts were fetched from smart contracts and remote URLs (âretrieve and route victims to the next stageâ and âdownloads and executes a remote shell script via curlâ).
- [T1115 ] Clipboard Data â The overlay injected commands into the victim clipboard via navigator.clipboard.writeText() (âto inject the command into the victimâs clipboardâ).
- [T1204.002 ] User Execution: Malicious File â The victim had to interact with the fake verification flow and execute a clipboard-sourced command (âpress Enter on your keyboard to finishâ and âthe victim opened the Run dialog and executed the clipboard commandâ).
- [T1055 ] Process Injection â rundll32.exe injected remote threads into browser processes for credential theft (âinjecting remote threads into chrome.exe and msedge.exeâ).
- [T1218.011 ] Signed Binary Proxy Execution: Rundll32 â rundll32.exe was used to host the payload and drive browser injection (ârundll32.exe process (hosting the put34b.camp payload)â).
- [T1071.001 ] Web Protocols â The campaign used JSON-RPC/eth_call over HTTP(S) to query blockchain contracts (âeth_callâ, âa JSON-RPC methodâ, âconstructs an eth_call JSON-RPC requestâ).
Indicators of Compromise
- [Smart contract addresses] Blockchain payload and tracker contracts â 0xA1decFB75C8C0CA28C10517ce56B710baf727d2e, 0x46790e2Ac7F3CA5a7D1bfCe312d11E91d23383Ff, and other 2 items.
- [Wallet address] Shared deployer wallet for all four contracts â 0xd71f4cdC84420d2bd07F50787B4F998b4c2d5290.
- [Domain / RPC endpoint] BNB Smart Chain testnet query endpoint used by the injected loader â bsc-testnet-rpc.publicnode[.]com, ip-info.ff.avast[.]com.
- [File names] Dropped payloads and helper components on Windows and macOS â put34b.camp, helper.py, and other 2 items.
- [URLs / network destinations] Secondary download and telemetry destinations observed from the Python payload â api.github[.]com, registry.npmjs[.]org, and other 2 items.
- [Transaction hashes] On-chain contract activity and execution tracker events â tx 0x029adddb5a03f16ffbe2907d17b36cb4032850f7856d9d38d3d9aba7ec3e2857.
Read more: https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html