Pulse Detail — Threat Intelligence

PULSE NAME

ClickFix Campaign Threats to Organizations

WHITE eric.ford 2024-10-30 Modified: 2024-11-29

223

IOCs

HIGH VOLUME

Deepwatch Threat Intel team assesses that cybercriminals will likely continue using the ClickFix technique to target organizations and individuals. The ClickFix technique is a social engineering tactic employed by cybercriminals to deceive users into downloading malware through fake CAPTCHAs, error messages, and prompts that entice users to inadvertently run malicious PowerShell scripts and commands.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1056 T1204 T1176 T1219 T1115 T1195 T1566 T1036 T1123 T1218 T1102 T1125 T1496 T1573 T1059 T1070 T1110 T1003 T1090 T1055 T1583.001 T1584.001 T1566.001 T1204.001 T1059.001 T1036.005 T1547.001 T1562.006 T1555.003

MALWARE FAMILIES

Lumma Amadey RedLine Matanbuchus NetSupport Stealc AMOS Vidar Rhadamanthys DarkGate xmrig

Indicators of Compromise (223)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	525abe8da7ca32f163d93268c509a4c5	—	2024-10-30
FileHash-MD5	e3274bc41f121b918ebb66e2f0cbfe29	—	2024-10-30
FileHash-MD5	ee2ff2c8f49ca29fe18e8d18b76d4108	—	2024-10-30
FileHash-SHA1	4e9072c490ad2f00c9919bf638b78ac8a0b87fe6	SHA1 of 525abe8da7ca32f163d93268c509a4c5	2024-10-30
FileHash-SHA1	59f706841db1ad174075bd529cc5b231a6bb6054	SHA1 of e3274bc41f121b918ebb66e2f0cbfe29	2024-10-30
FileHash-SHA1	baa6e56ab2ad4e6072b063febde50075362b42a0	SHA1 of ee2ff2c8f49ca29fe18e8d18b76d4108	2024-10-30
FileHash-SHA256	210a9e063211abc76ee5d4b082a207ae20627021d0ec3131963a4a1822aaf9db	SHA256 of e3274bc41f121b918ebb66e2f0cbfe29	2024-10-30
FileHash-SHA256	b392210a614d4a3a6673c08c75491a4b722c0abe7ff5a5af0c01fe84f23314c9	SHA256 of ee2ff2c8f49ca29fe18e8d18b76d4108	2024-10-30
FileHash-SHA256	dad8074d6d4bfe1e253ed9a4e3554a6993198b96ee26af03be080acd9f7fda22	SHA256 of 525abe8da7ca32f163d93268c509a4c5	2024-10-30
URL	http://152.89.198.96:57691/e9930	—	2024-10-30
FileHash-MD5	0ba52a085647724ae6b56e29bab4af6e	MD5 of a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c	2024-10-30
FileHash-MD5	51f8527e20dcb05ffd8586b853937a8a	—	2024-10-30
FileHash-MD5	6bee9adb58a318a61a3af447b31c7f3e	MD5 of 94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5	2024-10-30
FileHash-MD5	acfba6ff2e80e0ebc80df9e7d326337c	MD5 of 92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138	2024-10-30
FileHash-MD5	ba0767946d9cac95fd727d7076c7fec1	MD5 of 2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe	2024-10-30
FileHash-MD5	e7959e4089c1993045e01cb9c3cbc6a5	—	2024-10-30
FileHash-SHA1	1ee26f6cb803f456ba019ebae8eb818f0e48a962	SHA1 of a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c	2024-10-30
FileHash-SHA1	31c713eabc90f61b44703a8d30e7ced6e2941f23	SHA1 of 2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe	2024-10-30
FileHash-SHA1	bc6587212e27111770ec0e61b735c7b527186c1b	SHA1 of 94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5	2024-10-30
FileHash-SHA1	fe28d5756815fdac31a744a2f11c075f5b1892bc	SHA1 of 92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138	2024-10-30
FileHash-SHA256	2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe	—	2024-10-30
FileHash-SHA256	92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138	—	2024-10-30
FileHash-SHA256	94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5	—	2024-10-30
FileHash-SHA256	a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c	—	2024-10-30
URL	http://77.221.157.170:3004/server.js	—	2024-10-30
URL	http://85.209.11.155/joinsystem	—	2024-10-30
URL	http://95.182.97.58/84b7b6f977dd1c65.php	—	2024-10-30
URL	https://carolinejuskus.com/f9dfbcf6a999/7cc2f5dc3c76/load.51f8527e20dcb05ffd8586b853937a8a.php?call=launcher	—	2024-10-30
URL	https://carolinejuskus.com/kusaka.php?call=launcher	—	2024-10-30
URL	https://googIedrivers.com/fix-error	—	2024-10-30
URL	https://meet.google.com-join.us/wmq-qcdn-orj	—	2024-10-30
URL	https://meet.google.us-join.com/ywk-batf-sfh	—	2024-10-30
URL	https://meet.google.us07host.com/coc-btru-ays	—	2024-10-30
URL	https://meet.google.webjoining.com/exw-jfaj-hpa	—	2024-10-30
URL	https://us18web-zoom.us/ram.exe	—	2024-10-30
URL	https://us18web-zoom.us/stealc.exe	—	2024-10-30
URL	https://webapizmland.com/api/cmdruned	—	2024-10-30
domain	alienmanfc6.com	—	2024-10-30
domain	apunanwu.com	—	2024-10-30
domain	argongame.com	—	2024-10-30
domain	battleforge.cc	—	2024-10-30
domain	battleultimate.xyz	—	2024-10-30
domain	bowerchalke.com	—	2024-10-30
domain	calipsoproject.com	—	2024-10-30
domain	carolinejuskus.com	—	2024-10-30
domain	cautrucanhtuan.com	—	2024-10-30
domain	cozyland.xyz	—	2024-10-30
domain	cozymeta.com	—	2024-10-30
domain	cozymeta.fun	—	2024-10-30
domain	cozymeta.xyz	—	2024-10-30
domain	cozyweb3.com	—	2024-10-30
domain	cozyworld.io	—	2024-10-30
domain	cphoops.com	—	2024-10-30
domain	darkblow.com	—	2024-10-30
domain	dekhke.com	—	2024-10-30
domain	doculuma.com	—	2024-10-30
domain	fatoreader.com	—	2024-10-30
domain	fatoreader.net	—	2024-10-30
domain	gamascript.com	—	2024-10-30
domain	googiedrivers.com	—	2024-10-30
domain	iloanshop.com	—	2024-10-30
domain	kansaskollection.com	—	2024-10-30
domain	lastnuggets.com	—	2024-10-30
domain	lirelasuisse.com	—	2024-10-30
domain	lunacy3.com	—	2024-10-30
domain	lunacy4.com	—	2024-10-30
domain	mdalies.com	—	2024-10-30
domain	mensadvancega.com	—	2024-10-30
domain	mishapagerealty.com	—	2024-10-30
domain	missingfrontier.com	—	2024-10-30
domain	modoodeul.com	—	2024-10-30
domain	mor-dex.world	—	2024-10-30
domain	mordex.blog	—	2024-10-30
domain	mordex.digital	—	2024-10-30
domain	mordex.homes	—	2024-10-30
domain	mybattleforge.xyz	—	2024-10-30
domain	myultimate.xyz	—	2024-10-30
domain	ngtmeta.io	—	2024-10-30
domain	ngtmetaland.io	—	2024-10-30
domain	ngtmetaweb.com	—	2024-10-30
domain	ngtproject.com	—	2024-10-30
domain	ngtstudio.io	—	2024-10-30
domain	ngtstudio.online	—	2024-10-30
domain	ngtverse.org	—	2024-10-30
domain	night-support.xyz	—	2024-10-30
domain	nightpredators.com	—	2024-10-30
domain	nightstudio.io	—	2024-10-30
domain	nightstudioweb.xyz	—	2024-10-30
domain	nor-tex.eu	—	2024-10-30
domain	nor-tex.pro	—	2024-10-30
domain	nor-tex.world	—	2024-10-30
domain	nor-tex.xyz	—	2024-10-30
domain	nort-ex.eu	—	2024-10-30
domain	nort-ex.lol	—	2024-10-30
domain	nort-ex.world	—	2024-10-30
domain	nortex-app.pro	—	2024-10-30
domain	nortex-app.us	—	2024-10-30
domain	nortex-app.xyz	—	2024-10-30
domain	nortex.blog	—	2024-10-30
domain	nortex.digital	—	2024-10-30
domain	nortex.life	—	2024-10-30
domain	nortex.limited	—	2024-10-30
domain	nortex.lol	—	2024-10-30
domain	nortex.uk	—	2024-10-30
domain	nortexapp.com	—	2024-10-30
domain	nortexapp.digital	—	2024-10-30
domain	nortexapp.io	—	2024-10-30
domain	nortexapp.me	—	2024-10-30
domain	nortexapp.pro	—	2024-10-30
domain	nortexapp.xyz	—	2024-10-30
domain	nortexmessenger.blog	—	2024-10-30
domain	nortexmessenger.digital	—	2024-10-30
domain	nortexmessenger.pro	—	2024-10-30
domain	nortexmessenger.us	—	2024-10-30
domain	pabloarruda.com	—	2024-10-30
domain	pakoyayinlari.com	—	2024-10-30
domain	patrickcateman.com	—	2024-10-30
domain	phperl.com	—	2024-10-30
domain	playbattleforge.org	—	2024-10-30
domain	playbattleforge.xyz	—	2024-10-30
domain	playultimate.xyz	—	2024-10-30
domain	projectcalipso.com	—	2024-10-30
domain	riotrevelry.com	—	2024-10-30
domain	sleipnirbrowser.org	—	2024-10-30
domain	sleipnirbrowser.xyz	—	2024-10-30
domain	stonance.com	—	2024-10-30
domain	thecalipsoproject.com	—	2024-10-30
domain	thewatch.com	—	2024-10-30
domain	tooldream.live	—	2024-10-30
domain	ultimategame.xyz	—	2024-10-30
domain	ultimateplay.xyz	—	2024-10-30
domain	us002webzoom.us	—	2024-10-30
domain	us003webzoom.us	—	2024-10-30
domain	us004web-zoom.us	—	2024-10-30
domain	us005web-zoom.us	—	2024-10-30
domain	us006web-zoom.us	—	2024-10-30
domain	us007web-zoom.us	—	2024-10-30
domain	us008web-zoom.us	—	2024-10-30
domain	us01web-zoom.us	—	2024-10-30
domain	us01web.us	—	2024-10-30
domain	us03web-zoom.us	—	2024-10-30
domain	us03web.us	—	2024-10-30
domain	us050web-zoom.us	—	2024-10-30
domain	us055web-zoom.us	—	2024-10-30
domain	us07web-zoom.us	—	2024-10-30
domain	us08web-zoom.us	—	2024-10-30
domain	us08web.us	—	2024-10-30
domain	us09web-zoom.us	—	2024-10-30
domain	us09web.us	—	2024-10-30
domain	us10web-zoom.us	—	2024-10-30
domain	us12web.us	—	2024-10-30
domain	us15web.us	—	2024-10-30
domain	us18web-zoom.us	—	2024-10-30
domain	us20web.us	—	2024-10-30
domain	us30web-zoom.us	—	2024-10-30
domain	us40web-zoom.us	—	2024-10-30
domain	us40web.us	—	2024-10-30
domain	us45web-zoom.us	—	2024-10-30
domain	us4web-zoom.us	—	2024-10-30
domain	us500web-zoom.us	—	2024-10-30
domain	us505web-zoom.us	—	2024-10-30
domain	us50web-zoom.us	—	2024-10-30
domain	us50web.us	—	2024-10-30
domain	us555web-zoom.us	—	2024-10-30
domain	us55web.us	—	2024-10-30
domain	us5web-zoom.us	—	2024-10-30
domain	us60web-zoom.us	—	2024-10-30
domain	us6web-zoom.us	—	2024-10-30
domain	us70web-zoom.us	—	2024-10-30
domain	us77web-zoom.us	—	2024-10-30
domain	us80web-zoom.us	—	2024-10-30
domain	us85web-zoom.us	—	2024-10-30
domain	us95web-zoom.us	—	2024-10-30
domain	utv4fun.com	—	2024-10-30
domain	verdascript.com	—	2024-10-30
domain	veriscroll.com	—	2024-10-30
domain	web05-zoom.us	—	2024-10-30
domain	web3dev.buzz	—	2024-10-30
domain	webapizmland.com	—	2024-10-30
domain	webjoining.com	—	2024-10-30
domain	webroom-zoom.us	—	2024-10-30
domain	worldcozy.com	—	2024-10-30
hostname	meet.googie.com-join.us	—	2024-10-30
hostname	meet.google.cdm-join.us	—	2024-10-30
hostname	meet.google.com-join.us	—	2024-10-30
hostname	meet.google.us-join.com	—	2024-10-30
hostname	meet.google.us07host.com	—	2024-10-30
hostname	meet.google.web-join.com	—	2024-10-30
hostname	meet.google.webjoining.com	—	2024-10-30
FileHash-MD5	194577a7e20bdcc7afbb718f502c134c	MD5 of d65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3	2024-10-30
FileHash-MD5	602e1f42d73cadcd73338ffbc553d5a2	MD5 of a4ad384663963d335a27fa088178a17613a7b597f2db8152ea3d809c8b9781a0	2024-10-30
FileHash-SHA1	977bf53305dffa9acb6ac6b2ca11fce75dd1ef1e	SHA1 of a4ad384663963d335a27fa088178a17613a7b597f2db8152ea3d809c8b9781a0	2024-10-30
FileHash-SHA1	df2fbeb1400acda0909a32c1cf6bf492f1121e07	SHA1 of d65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3	2024-10-30
FileHash-SHA256	a4ad384663963d335a27fa088178a17613a7b597f2db8152ea3d809c8b9781a0	—	2024-10-30
FileHash-SHA256	d65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3	—	2024-10-30
URL	http://128.0.0.0	—	2024-10-30
URL	http://ajsdiaolke.shop/endpoint	—	2024-10-30
URL	http://cdn.ethers.io/lib/ethers-5.2.umd.min.js	—	2024-10-30
URL	http://dais7nsa.pics/endpoint	—	2024-10-30
URL	http://daslkjfhi2.lol/page	—	2024-10-30
URL	http://md928zs.shop/endpoint	—	2024-10-30
URL	http://mdasidy72.lol/endpoint	—	2024-10-30
URL	http://mdasidy72.mom/endpoint	—	2024-10-30
URL	http://ndas8m92.shop/endpoint	—	2024-10-30
URL	http://ndm2398asdlw.shop/page	—	2024-10-30
URL	http://peskpdfgif.shop/endpoint	—	2024-10-30
URL	http://skibidirizz.lol/endpoint	—	2024-10-30
URL	http://smolcatkgi.shop/endpoint	—	2024-10-30
URL	http://x99y.xyz/endpoint	—	2024-10-30
domain	ajsdiaolke.shop	—	2024-10-30
domain	dais7nsa.pics	—	2024-10-30
domain	daslkjfhi2.lol	—	2024-10-30
domain	infected.site	—	2024-10-30
domain	md928zs.shop	—	2024-10-30
domain	mdasidy72.lol	—	2024-10-30
domain	mdasidy72.mom	—	2024-10-30
domain	ndas8m92.shop	—	2024-10-30
domain	ndm2398asdlw.shop	—	2024-10-30
domain	peskpdfgif.shop	—	2024-10-30
domain	skibidirizz.lol	—	2024-10-30
domain	smolcatkgi.shop	—	2024-10-30
domain	x99y.xyz	—	2024-10-30
hostname	cdn.ethers.io	—	2024-10-30

References (4)

↗ https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/ ↗ https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html ↗ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/#h-fake-google-meet-pages-and-technical-issues ↗ https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials