Etherhiding popups still active

Intel Name: Etherhiding popups still active

Date of Scan: September 9, 2024

Impact: High

Summary:
We continue to find websites with injected code that uses “EtherHiding” to create popup windows for fake browser updates. This issue has been observed in infection chains known as “ClearFake” and “ClickFix,” though we have not yet identified the specific malware associated with this chain. For details on a ClickFix infection chain reported in June 2024, visit:  https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-06-24-IOCs-for-ClickFix-pushing-Lumma-Stealer.txt

Further information on EtherHiding techniques can be found at:

https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16

More Details