{ "name": "Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet", "slug": "smart-contracts-for-cc-how-clearfake-hid-in-plain-sight-on-bsc-testnet", "description": "Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.", "published": "2026-05-26T13:20:06+00:00", "created_at": "2026-05-26T13:20:06+00:00", "modified_at": "2026-05-27T11:59:22+00:00", "created_at_opencti": "2026-05-26T13:20:06+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-05-26", "acrstealer", "blockchain c&c", "bnb smart chain", "clearfake", "clickfix", "etherhiding", "infostealer", "sectoprat" ], "related_entities": { "observables": [ { "id": "", "name": "www.badischwaendi.ch" }, { "id": "", "name": "46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d" }, { "id": "", "name": "9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910" }, { "id": "", "name": "a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885" } ], "malware": [ { "id": "legacy:malware:6058ee6dd9d36156", "name": "SectopRAT", "slug": "sectoprat" }, { "id": "legacy:malware:c7b52cd05ba549b6", "name": "ACRStealer", "slug": "acrstealer" } ], "attack_patterns": [ { "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd", "name": "T1036.005" }, { "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e", "name": "T1185" }, { "id": "cf746a02-00ea-419e-912d-7b03f969c491", "name": "T1518.001" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "7dc1bc79-ccad-419e-b7c0-0f7fa8522270", "name": "T1055.012" }, { "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b", "name": "T1059.006" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "0192fd78-09e3-4fe4-a9d3-38a7137e15fa", "name": "T1055.002" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6", "name": "T1189" }, { "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9", "name": "T1497.001" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "e684b1cc-3ebf-4679-bd3c-c5e540a60a5d", "name": "T1056.004" } ], "others": [ { "id": "", "name": "Switzerland" }, { "id": "", "name": "ren.trytoken.life" }, { "id": "", "name": "put34b.camp" }, { "id": "", "name": "getcfgs.qen9varol.lat" }, { "id": "", "name": "ohn.stainedunstitch.work" }, { "id": "", "name": "afraid.veloitall.cfd" }, { "id": "", "name": "ootid.srv-auth-dlt-msh.in.net" }, { "id": "", "name": "root-cul.xamir3on.lat" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/6a15ba2632bd7e246e9c1250", "https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html" ] }