Threat actors behind the ClearFake campaign are leveraging EtherHiding to host malicious JavaScript payloads within BNB Smart Chain testnet smart contracts, bypassing traditional URL-based blocking. The attack chain begins with a compromised watering hole site and uses a ClickFix social engineering overlay to trick Windows and macOS users into executing malicious commands. This leads to the deployment of SectopRAT and ACRStealer via WebDAV DLL loading and DLL sideloading, enabling extensive credential and browser session theft.