ClearFake Malware Campaign Uses Proxy Execution to Run PowerShell

What exactly is this ClearFake malware campaign doing now, and why are security teams, IT pros, and everyday Windows users talking about proxy execution and PowerShell abuse? In late 2025, researchers observed that ClearFake evolved beyond its original web-based bait to include a more deceptive way of running malicious commands on Windows systems.

This new trend uses proxy execution malware techniques and trusted Windows feature abuse to make victims run harmful scripts without typical file artifacts that defenders expect. In simple terms, in the worst-case scenario, users could end up typing or pasting a command that looks safe but secretly hands control over to an attacker.

At its heart,t this development is another step in how attackers use PowerShell malware execution combined with social trickery to get code running in memory. Because it blends with native behavior and hides from traditional checks, it is becoming harder to detect. Learning how this works and what it means in practice matters to anyone managing Windows environments right now. Let us walk through it slowly and clearly.

ClearFake’s Evolution from Fake Updates to Proxy Execution

ClearFake started out in 2023 as a JavaScript-based drive-by exploit that would inject malicious content into compromised websites. Visitors to those sites were shown fake browser update screens or error messages that made it seem like their system needed attention. If they clicked yes or tried to fix the issue, the machine would end up downloading malware. That part of its life was simpler and easier for defenders to identify.

By mid-20,24 ClearFake operators transitioned to a variation known as ClickFix. Instead of fooling the browser into downloading files automatically, they now tricked victims into manually copying and pasting commands into a Windows console. That change was significant because users running the commands themselves bypassed many traditional endpoint protections and allowed the threat to spread more quietly than before.

The recent version extends this further by using proxy execution malware tactics that involve legitimate Windows tools and built-in behavior to quietly run the harmful code. Using these trusted features helps the attacker avoid detection and makes this ClearFake PowerShell attack more intrusive than before.

How Proxy Execution and Trusted Windows Feature Abuse Work

When you think of malware, you usually picture a file downloaded from a suspicious site or a hidden executable on your computer. In this campaign, the threat hides in plain sight by using a trusted tool to do the dirty work. A well-known Windows file like SyncAppvPublishingServer.vbs can be given hidden instructions to launch PowerShell commands that install or activate malware. This is what experts call Trusted Windows feature abuse because the attacker takes advantage of how legitimate Windows components are meant to work to achieve malicious ends.

In practice,e the malicious script or payload is injected into a compromised webpage. When a victim visits the page, they are shown a fake verification prompt that might look like a CAPTCHA or a browser warning. Behind the scenes, the ClearFake framework copies a crafted command into the clipboard that looks like a normal system command. If the user follows the prompt, it ends up opening a trusted binary that then silently runs PowerShell code embedded by the attacker. This avoids typical antivirus alerts and often bypasses endpoint detection software.

Because this behavior relies on Windows native tool abuse rather than dropping and running a suspicious file, the infection chain is harder to spot in audits and more likely to evade signature-based detection. Skilled defenders call this a fileless malware attack because no traditional malicious binary needs to land on disk. The commands execute in memory via PowerShell, and the trusted Windows feature is used as a proxy to authorize or launch them.

Real-World Example of This PowerShell Proxy Execution Attack

To make the scenario tangible, imagine you are browsing a legitimate news article. The site has been quietly compromised with ClearFake JavaScript. Suddenly, your browser shows a message that asks you to verify you are not a robot. It looks normal enough and might even include a familiar CAPTCHA widget. That is part of the lure.

Unseen to you, a snippet of script copied a command into your Windows clipboard. The CAPTCHA is followed by a prompt to open Windows Run and paste a fix command. If you do this, you might see nothing obvious happen for a few seconds. Behind that simple pasted text, a trusted Windows component runs a hidden PowerShell command that starts contacting remote servers and downloads more malicious code straight into memory. That is where the ClearFake PowerShell attack does most of its damage.

This subtlety is what makes the new version of ClearFake hard to detect and why it represents an escalation from previous variations, which relied on obvious downloads or known executables. The attacker is trying to stay one step ahead of defenders by blending malicious components with everyday system features.

Why This Raises Detection and Defense Challenges

From a defensive perspective, the most troubling aspect of this campaign is its use of fileless malware attack behavior coupled with endpoint detection evasion. Traditional antivirus and endpoint sensors look for suspicious files on disk or unusual network activity. When PowerShell runs code from memory and trusted executables are acting as proxies, those indicators are absent or muted.

Long-term defenders have been talking about how living off the land binaries and scripts can avoid detection. This ClearFake approach is a textbook example. It uses Windows' built-in tools and does not leave a clear footprintthat a typical scanner can flag or quarantine. That makes it possible for an attacker to stay on a compromised system longer and perform secondary actions such as credential theft, data exfiltration, or remote control without tripping alarms.

A related dilemma is that many organizations have allowed powerful scripting frameworks like PowerShell to run with high privileges without strict controls. Because of that, the proxy execution technique happens with minimal user awareness and often requires little interaction aside from the initial social engineering prompt.

Can Malware Run Without Files in Modern Windows Systems?

You might wonder at this point: how can malware run if it never leaves a file behind? The answer is that code can be loaded straight into memory using PowerShell instructions. Fileless threats like the one delivered here do exactly that. Instead of writing a malicious file to disk, they store instructions in memory, run them, perform actions, and then vanish. This makes the whole event look cleaner to defenders.

In practice, this sort of behavior is not new. Intrusion wizards have been using similar techniques for years in advanced threats such as some ransomware and remote access trojans, where persistence mechanisms rely on scheduled tasks or registry entries rather than a clear executable file. What changes with ClearFake is that a compromised webpage and a trusted Windows feature are now teamed up to pull this off.

Because of the absence of dropped files, even forensic analysis becomes harder. Security analysts have to look at memory snapshots and behavior logs instead of file hashes or executables. That means more effort and more specialized tools to identify the true source of an infection.

How Does Proxy Execution Work in Cyber Attacks?

At its core, proxy execution malware relies on a chain of trust. A legitimate system binary or script runs something on behalf of an attacker because the malware found a way to make that tool accept hidden input. In ClearFake’s case,e this starts with compromised JavaScript code on a web page. That code crafts a PowerShell command and puts it in the clipboard for the user.

When a trusted component like SyncAppvPublishingServer.vbs receives command-line arguments, it might not inspect them thoroughly. If the arguments include a PowerShell instruction, an attacker can use that to inject harmful tasks beneath the surface. This helps the threat maintain trusted parent process structures and avoid being marked malicious.

This concept is similar to how advanced threats have abused signed drivers or legitimate services in the past. By piggybacking on something the system already trusts, the malicious instructions slip through with fewer red flags.

Detecting This Type of Attack

Detecting a PowerShell proxy execution attack like ClearFake’s modern variant is not simple. Security teams must shift from looking only for suspicious files to monitoring behavior and telemetry. That includes checking for unusual PowerShell activity, such as commands that fetch code from remote sources or trusted binaries spawning PowerShell processes unexpectedly.

One practical tactic is to use endpoint threat hunting services that flag unusual interactions with system binaries. Monitoring clipboard interactions preceding command execution may also give clues. These signals are not foolproof but add context. Teams can also restrict PowerShell execution policies and log all script invocations to central logging systems to make backtracking easier.

Using an SOC investigation support service can help analyze suspicious events, correlate logs, and spot stealthy incidents before they escalate. Specialists can often catch patterns human defenders might miss.

Defending Against PowerShell-Based Malware Attacks

At its simplest, defense starts with education. Users should be aware that prompts telling them to paste commands into Windows Run or PowerShell are often dangerous. Those requests originate from browser content they did not intend to trust.

Technically,ly organizations can enforce stricter PowerShell policies, such as allowing only signed scripts or forbidding interactive script execution in certain user contexts. Many system administrators also block execution of unfamiliar binaries and apply strict application control policies that prevent unapproved tools from running.

Investing in malware incident response service support gives teams a deeper set of tools and procedures to examine suspicious behavior. Rapid investigation and containment can limit damage once an attack is underway.

Frequently Asked Questions

What is a PowerShell-based malware attack?
A PowerShell-based malware attack uses the Windows PowerShell framework to run harmful code directly in memory or through scripts without traditional malware files. This helps attackers avoid detection by antivirus software and complicates forensic investigation.

How does proxy execution work in cyber attacks?
Proxy execution in cyber attacks means using a trusted tool or binary to run malicious instructions on behalf of the attacker. This typically avoids detection because the trusted tool is expected to be safe, and defenders often focus on unknown or suspicious executables.

Can malware run without files in Windows?
Yes. Modern threats often use techniques like PowerShell or in-memory execution that do not write a harmful file to disk. This fileless behavior helps threats evade file-scanning-based defenses.

How do attackers bypass endpoint security?
Attackers bypass endpoint security by using trusted components, living off the land binaries, social engineering, or encryption and obfuscation to hide malicious behavior from signature-based tools.

Hoplon Insight Box

To strengthen your security posture against this rising type of threat, here are some practical recommendations:

• Log and monitor PowerShell invocations in your environment and filter out suspicious remote fetches.

• Block high-risk scripting execution by configuring PowerShell execution policies.

• Train employees to be cautious of any prompt that asks them to paste commands into Windows.

• Use endpoint threat hunting service and SOC investigation support to correlate events and respond quickly once something unusual is spotted.

• Adopt a malware incident response service to help contain and investigate suspicious behavior swiftly.

Final Thoughts

The ClearFake malware campaign has grown in sophistication from simple fake update prompts to a nuanced ClearFake PowerShell attack that uses proxy execution malware techniques and trusted Windows feature abuse.

This allows attackers to slip harmful PowerShell commands into a victim’s system using trusted tools and memory only, making detection and response more difficult. Understanding and defending against this layered threat requires a mix of user awareness education, stronger system controls, and specialized security services that stay focused on behavioral patterns instead of just file signatures.

The ClearFake malware campaign targets Windows endpoints using PowerShell for fileless attacks. Hoplon Infosec’s Endpoint Security helps detect and block these threats effectively.