IOC Alert: ClearFake JavaScript Payload Delivered via Compromised Domain

📖 Overview

A domain associated with the ClearFake JavaScript-based malware campaign has been identified. The domain currently displays a Cloudflare phishing warning and has been reported for malicious activity. ClearFake campaigns are known for distributing malicious scripts that deliver payloads or redirect users to further phishing pages. Confidence is assessed at 100%.

📌 Key Details

🔎 URLScan Result

• Verdict Score: 100
• Page Title: Suspected phishing site | Cloudflare
• Screenshot: View Screenshot
• Result: Full Scan Report

📡 Domain & Certificate Info

• DNS A Records: 172[.]67[.]165[.]142, 104[.]21[.]42[.]196

📡 Related Intelligence

• Certificate Transparency: crt.sh Report
• VirusTotal Report: VirusTotal Domain Report
• URLScan Domain Overview: urlscan.io Domain Page
• DNS Analytics: dnslytics.com Report

🛡️ Defensive Guidance

• Block e1mx.fkur8[.]ru and its associated IPs (172[.]67[.]165[.]142, 104[.]21[.]42[.]196) at DNS, proxy, and endpoint layers.
• Hunt for signs of ClearFake JavaScript injections, such as script tags referencing external .ru domains or injected HTML code.
• Monitor for web sessions where users are redirected to fake browser update or security alert pages.
• Implement web filtering policies to detect and block dynamic JavaScript-based payload delivery mechanisms.

⚠️ This IOC underscores the persistent activity of ClearFake malware operators, who continue to leverage compromised or newly registered domains to deliver JavaScript payloads under the guise of security or software update warnings.