Pulse Detail — Threat Intelligence

PULSE NAME

ClickFix Campaign Threats to Organizations

WHITE eric.ford 2024-10-30 Modified: 2024-11-29

223

IOCs

HIGH VOLUME

Deepwatch Threat Intel team assesses that cybercriminals will likely continue using the ClickFix technique to target organizations and individuals. The ClickFix technique is a social engineering tactic employed by cybercriminals to deceive users into downloading malware through fake CAPTCHAs, error messages, and prompts that entice users to inadvertently run malicious PowerShell scripts and commands.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1056 T1204 T1176 T1219 T1115 T1195 T1566 T1036 T1123 T1218 T1102 T1125 T1496 T1573 T1059 T1070 T1110 T1003 T1090 T1055 T1583.001 T1584.001 T1566.001 T1204.001 T1059.001 T1036.005 T1547.001 T1562.006 T1555.003

MALWARE FAMILIES

Lumma Amadey RedLine Matanbuchus NetSupport Stealc AMOS Vidar Rhadamanthys DarkGate xmrig

Indicators of Compromise (158 / 223 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	alienmanfc6.com	—	2024-10-30
domain	apunanwu.com	—	2024-10-30
domain	argongame.com	—	2024-10-30
domain	battleforge.cc	—	2024-10-30
domain	battleultimate.xyz	—	2024-10-30
domain	bowerchalke.com	—	2024-10-30
domain	calipsoproject.com	—	2024-10-30
domain	carolinejuskus.com	—	2024-10-30
domain	cautrucanhtuan.com	—	2024-10-30
domain	cozyland.xyz	—	2024-10-30
domain	cozymeta.com	—	2024-10-30
domain	cozymeta.fun	—	2024-10-30
domain	cozymeta.xyz	—	2024-10-30
domain	cozyweb3.com	—	2024-10-30
domain	cozyworld.io	—	2024-10-30
domain	cphoops.com	—	2024-10-30
domain	darkblow.com	—	2024-10-30
domain	dekhke.com	—	2024-10-30
domain	doculuma.com	—	2024-10-30
domain	fatoreader.com	—	2024-10-30
domain	fatoreader.net	—	2024-10-30
domain	gamascript.com	—	2024-10-30
domain	googiedrivers.com	—	2024-10-30
domain	iloanshop.com	—	2024-10-30
domain	kansaskollection.com	—	2024-10-30
domain	lastnuggets.com	—	2024-10-30
domain	lirelasuisse.com	—	2024-10-30
domain	lunacy3.com	—	2024-10-30
domain	lunacy4.com	—	2024-10-30
domain	mdalies.com	—	2024-10-30
domain	mensadvancega.com	—	2024-10-30
domain	mishapagerealty.com	—	2024-10-30
domain	missingfrontier.com	—	2024-10-30
domain	modoodeul.com	—	2024-10-30
domain	mor-dex.world	—	2024-10-30
domain	mordex.blog	—	2024-10-30
domain	mordex.digital	—	2024-10-30
domain	mordex.homes	—	2024-10-30
domain	mybattleforge.xyz	—	2024-10-30
domain	myultimate.xyz	—	2024-10-30
domain	ngtmeta.io	—	2024-10-30
domain	ngtmetaland.io	—	2024-10-30
domain	ngtmetaweb.com	—	2024-10-30
domain	ngtproject.com	—	2024-10-30
domain	ngtstudio.io	—	2024-10-30
domain	ngtstudio.online	—	2024-10-30
domain	ngtverse.org	—	2024-10-30
domain	night-support.xyz	—	2024-10-30
domain	nightpredators.com	—	2024-10-30
domain	nightstudio.io	—	2024-10-30
domain	nightstudioweb.xyz	—	2024-10-30
domain	nor-tex.eu	—	2024-10-30
domain	nor-tex.pro	—	2024-10-30
domain	nor-tex.world	—	2024-10-30
domain	nor-tex.xyz	—	2024-10-30
domain	nort-ex.eu	—	2024-10-30
domain	nort-ex.lol	—	2024-10-30
domain	nort-ex.world	—	2024-10-30
domain	nortex-app.pro	—	2024-10-30
domain	nortex-app.us	—	2024-10-30
domain	nortex-app.xyz	—	2024-10-30
domain	nortex.blog	—	2024-10-30
domain	nortex.digital	—	2024-10-30
domain	nortex.life	—	2024-10-30
domain	nortex.limited	—	2024-10-30
domain	nortex.lol	—	2024-10-30
domain	nortex.uk	—	2024-10-30
domain	nortexapp.com	—	2024-10-30
domain	nortexapp.digital	—	2024-10-30
domain	nortexapp.io	—	2024-10-30
domain	nortexapp.me	—	2024-10-30
domain	nortexapp.pro	—	2024-10-30
domain	nortexapp.xyz	—	2024-10-30
domain	nortexmessenger.blog	—	2024-10-30
domain	nortexmessenger.digital	—	2024-10-30
domain	nortexmessenger.pro	—	2024-10-30
domain	nortexmessenger.us	—	2024-10-30
domain	pabloarruda.com	—	2024-10-30
domain	pakoyayinlari.com	—	2024-10-30
domain	patrickcateman.com	—	2024-10-30
domain	phperl.com	—	2024-10-30
domain	playbattleforge.org	—	2024-10-30
domain	playbattleforge.xyz	—	2024-10-30
domain	playultimate.xyz	—	2024-10-30
domain	projectcalipso.com	—	2024-10-30
domain	riotrevelry.com	—	2024-10-30
domain	sleipnirbrowser.org	—	2024-10-30
domain	sleipnirbrowser.xyz	—	2024-10-30
domain	stonance.com	—	2024-10-30
domain	thecalipsoproject.com	—	2024-10-30
domain	thewatch.com	—	2024-10-30
domain	tooldream.live	—	2024-10-30
domain	ultimategame.xyz	—	2024-10-30
domain	ultimateplay.xyz	—	2024-10-30
domain	us002webzoom.us	—	2024-10-30
domain	us003webzoom.us	—	2024-10-30
domain	us004web-zoom.us	—	2024-10-30
domain	us005web-zoom.us	—	2024-10-30
domain	us006web-zoom.us	—	2024-10-30
domain	us007web-zoom.us	—	2024-10-30
domain	us008web-zoom.us	—	2024-10-30
domain	us01web-zoom.us	—	2024-10-30
domain	us01web.us	—	2024-10-30
domain	us03web-zoom.us	—	2024-10-30
domain	us03web.us	—	2024-10-30
domain	us050web-zoom.us	—	2024-10-30
domain	us055web-zoom.us	—	2024-10-30
domain	us07web-zoom.us	—	2024-10-30
domain	us08web-zoom.us	—	2024-10-30
domain	us08web.us	—	2024-10-30
domain	us09web-zoom.us	—	2024-10-30
domain	us09web.us	—	2024-10-30
domain	us10web-zoom.us	—	2024-10-30
domain	us12web.us	—	2024-10-30
domain	us15web.us	—	2024-10-30
domain	us18web-zoom.us	—	2024-10-30
domain	us20web.us	—	2024-10-30
domain	us30web-zoom.us	—	2024-10-30
domain	us40web-zoom.us	—	2024-10-30
domain	us40web.us	—	2024-10-30
domain	us45web-zoom.us	—	2024-10-30
domain	us4web-zoom.us	—	2024-10-30
domain	us500web-zoom.us	—	2024-10-30
domain	us505web-zoom.us	—	2024-10-30
domain	us50web-zoom.us	—	2024-10-30
domain	us50web.us	—	2024-10-30
domain	us555web-zoom.us	—	2024-10-30
domain	us55web.us	—	2024-10-30
domain	us5web-zoom.us	—	2024-10-30
domain	us60web-zoom.us	—	2024-10-30
domain	us6web-zoom.us	—	2024-10-30
domain	us70web-zoom.us	—	2024-10-30
domain	us77web-zoom.us	—	2024-10-30
domain	us80web-zoom.us	—	2024-10-30
domain	us85web-zoom.us	—	2024-10-30
domain	us95web-zoom.us	—	2024-10-30
domain	utv4fun.com	—	2024-10-30
domain	verdascript.com	—	2024-10-30
domain	veriscroll.com	—	2024-10-30
domain	web05-zoom.us	—	2024-10-30
domain	web3dev.buzz	—	2024-10-30
domain	webapizmland.com	—	2024-10-30
domain	webjoining.com	—	2024-10-30
domain	webroom-zoom.us	—	2024-10-30
domain	worldcozy.com	—	2024-10-30
domain	ajsdiaolke.shop	—	2024-10-30
domain	dais7nsa.pics	—	2024-10-30
domain	daslkjfhi2.lol	—	2024-10-30
domain	infected.site	—	2024-10-30
domain	md928zs.shop	—	2024-10-30
domain	mdasidy72.lol	—	2024-10-30
domain	mdasidy72.mom	—	2024-10-30
domain	ndas8m92.shop	—	2024-10-30
domain	ndm2398asdlw.shop	—	2024-10-30
domain	peskpdfgif.shop	—	2024-10-30
domain	skibidirizz.lol	—	2024-10-30
domain	smolcatkgi.shop	—	2024-10-30
domain	x99y.xyz	—	2024-10-30

References (4)

↗ https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/ ↗ https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html ↗ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/#h-fake-google-meet-pages-and-technical-issues ↗ https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials