A newly identified botnet trojan campaign, dubbed OCRFix, is stealthily building a network of compromised machines by blending sophisticated social engineering tactics with a novel blockchain-based command infrastructure. The campaign leverages the well-known ClickFix phishing technique alongside EtherHiding, a method that embeds attacker instructions directly into public blockchains, making it exceptionally difficult to disrupt.
Security analysts at Cyjax first detected the OCRFix campaign during routine threat monitoring. The attack begins with a typosquatting website that impersonates tesseract-ocr[.]com, a convincing fake of the legitimate open-source Optical Character Recognition tool, Tesseract OCR. Notably, the real Tesseract project is hosted on GitHub and lacks its own dedicated website, making it an easy target for domain impersonation. The campaign didn’t stop at traditional SEO poisoning; it also employed Large Language Model (LLM) poisoning, with OpenAI’s ChatGPT observed actively recommending the malicious site to unsuspecting users. A YouTube video was also found during the investigation that appeared to promote these fraudulent instructions.
OCRFix Botnet’s Deceptive Entry and Multi-Stage Payload
Upon visiting the phishing site, users are greeted with a fake CAPTCHA prompt. When a user clicks to “verify,” a heavily obfuscated PowerShell command is silently copied to their clipboard. The page then instructs the user to open Windows PowerShell and paste the command, presenting it as a standard verification step. In reality, this command decodes itself, connects to a server at opsecdefcloud[.]com, and downloads a malicious MSI file (identified as 98166e51.msi), initiating the infection chain. After the malicious activity, victims are quietly redirected to the legitimate Tesseract GitHub page, leaving them unaware of the compromise.
Once the MSI file executes, the malware deploys in three distinct stages. The first stage, Update1.exe, functions as a loader. It queries a BNB TestNet smart contract for the Command and Control (C2) address and then downloads and unpacks a data.zip package from attacker-controlled servers. The second stage, setup_helper.exe, ensures persistence by creating a scheduled task designed to run the final payload every minute with the highest privilege level. This stage also cunningly adds exclusion paths to bypass Windows Defender, further evading detection.
The third stage, CfgHelper.exe, acts as the bot listener. It collects essential victim information, including their IP address, operating system name, device name, and unique identifiers. This data is then transmitted to the bot control panel located at ldture[.]com. Cyrillic comments found within the panel’s source code suggest that the operators may be of Russian origin, although this remains unconfirmed at this time.
EtherHiding: Blockchain as a Command Channel for OCRFix
The most technically innovative aspect of the OCRFix campaign is its utilization of EtherHiding to store command and control (C2) addresses. Instead of directing malware to traditional servers that security teams can block, the attackers have embedded their C2 URLs within smart contracts on the BNB Smart Chain TestNet. Three separate contract addresses were identified during the analysis of the campaign. This method makes the C2 infrastructure exceptionally resilient, as the blockchain itself cannot be taken down.
Whenever a malware stage requires its next instruction, it queries the public blockchain node bsc-testnet.publicnode[.]com to retrieve the stored URL. This advanced technique has been previously linked to North Korean threat actors, and its appearance in the OCRFix campaign may signal a broader adoption among other malicious groups. The attackers can update the C2 address at any time simply by modifying the contract’s stored variable, offering them continuous control over their infected network.
The OCRFix campaign is meticulously designed to keep victims unaware of the compromise for an extended period. The combination of deceptive legitimacy, clipboard injection, and a layered malware chain demonstrates how seemingly straightforward phishing tactics can be employed to support a stealthy and persistent intrusion. This evolving threat landscape highlights the need for robust cybersecurity measures.
Organizations are advised to implement strong security practices to mitigate such threats. Restricting PowerShell execution to only essential personnel, with robust script block logging enabled, can help detect obfuscated commands. Comprehensive security awareness training should equip staff to recognize ClickFix-style fake CAPTCHA prompts, ensuring they understand that legitimate websites do not require the pasting of PowerShell commands. Endpoint security solutions should be configured to flag unusual Windows Management Instrumentation (WMI) queries and the creation of unexpected high-privilege scheduled tasks. Network teams should actively monitor outbound connections to public blockchain nodes, as these typically have no legitimate business purpose within most organizational environments.