A threat actor known as TA571 and the ClearFake activity cluster have been observed employing an innovative social engineering technique designed to manipulate users into executing malicious PowerShell scripts and infecting victim devices with malware.
The technique, detailed by Proofpoint researchers, involves directing users to copy and paste malicious PowerShell scripts that lead to the deployment of various malicious tools, including DarkGate, Matanbuchus, NetSupport, and several information stealers.
Regardless of whether the initial campaign starts via malicious spam (malspam) or web browser injects, the technique follows a similar pattern. Users are presented with a pop-up message displaying an error while trying to open a document or webpage. Instructions are then provided to copy and paste a script into either the PowerShell terminal or the Windows Run dialog box, triggering the execution of the malicious script.
Proofpoint first observed TA571 employing this technique in March 2024, and the ClearFake cluster began using it in early April. ClearFake campaigns involve compromising legitimate websites with malicious HTML and JavaScript, presenting users with fake browser update prompts.
When users visit a compromised site, an injection loads a malicious script hosted on the blockchain via Binance’s Smart Chain contracts—a method known as “EtherHiding.” This script loads a second script from a domain using Keitaro TDS for filtering. If the victim continues to browse the site, they see a fake warning overlay instructing them to install a “root certificate.” Following the instructions leads to executing a PowerShell script.