New Botnet Mixes AI and Blockchain

The attack begins with a typosquatted domain, tesseract-ocr[.]com, impersonating the legitimate Tesseract open-source OCR tool which, lacking its own website, is an easy target for such imitation. This fake site uses a social engineering trick known as "ClickFix," where users are prompted to solve a CAPTCHA that, when clicked, copies a malicious PowerShell command to their clipboard. The multi-stage infection process starts with the execution of this PowerShell command. A second stage establishes persistence by creating scheduled tasks and disabling security features like BitLocker and Windows Defender. The final stage is a bot listener that collects system information, such as IP address, OS, and device name, and sends it to a control panel. OCRFix's key innovation is "EtherHiding," a technique for concealing its command-and-control (C2) infrastructure on a public blockchain. Instead of hardcoding C2 server addresses, the malware queries smart contracts on the BNB Smart Chain TestNet to retrieve the current C2 URLs. This makes the botnet highly resilient to takedowns, as the blockchain itself cannot be seized or sinkholed. This use of a decentralized ledger for C2 communications represents a significant evolution from traditional botnets that rely on centralized servers, which are a single point of failure. By storing C2 information within blockchain transactions, the attackers can rapidly rotate their infrastructure, complicating static detection and blocking efforts. This tactic is not entirely new, with similar blockchain-based C2 techniques observed in campaigns as early as 2021.