Pulse Detail — Threat Intelligence

PULSE NAME

Threat Advisory: LightPerlGirl Malware

WHITE PetrP.73 2025-06-20 Modified: 2025-07-20

IOCs

MEDIUM VOLUME

The malware campaign centered around a threat actor utilizing a fake CAPTCHA popup dubbed ClickFix, which deceives users into executing malicious PowerShell commands. This initial compromise occurs when a user visits a compromised WordPress site that serves a JavaScript payload, mimicking a legitimate security check. The malicious dialog prompts the user to engage with a PowerShell command, which is obfuscated to evade detection. This command reaches out to a command-and-control (C2) server at cmbkz8kz1000108k2carjewzf.info and initiates a multi-stage infection process.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1059.001 T1059.003 T1071.001 T1105 T1204.002 T1218.012 T1547.001 T1548.002 T1562.001

MALWARE FAMILIES

LightPerlGirl

Indicators of Compromise (39)

All CIDR URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
CIDR	146.70.115.0/24	—	2025-06-20
CIDR	91.92.46.0/24	—	2025-06-20
CIDR	94.74.164.0/24	—	2025-06-20
URL	http://91.92.46.60:4000	—	2025-06-20
URL	http://cmbkz8kz1000108k2carjewzf.info/?x	—	2025-06-20
URL	http://cmbkz8kz1000108k2carjewzf.info/?x';	—	2025-06-20
URL	http://cmbkz8kz1000108k2carjewzf.info/evr.bat	—	2025-06-20
URL	https://cmbkz8kz1000108k2carjewzf.info/evr.bat	—	2025-06-20
domain	cmbkz8kz1000108k2carjewzf.info	—	2025-06-20
domain	process.name	—	2025-06-20
hostname	dns.question.name	—	2025-06-20
hostname	bts.process.name	—	2025-06-20
hostname	eventhub.header.process.name	—	2025-06-20
hostname	prosrm.service.process.name	—	2025-06-20
hostname	src.process.name	—	2025-06-20
hostname	target.process.name	—	2025-06-20
hostname	xdm.source.process.name	—	2025-06-20
hostname	xdm.target.process.name	—	2025-06-20
URL	http://bts.process.name	—	2025-06-20
URL	http://bts.process.name/	—	2025-06-20
URL	http://eventhub.header.process.name	—	2025-06-20
URL	http://prosrm.service.process.name/	—	2025-06-20
URL	http://src.process.name/	—	2025-06-20
URL	http://target.process.name	—	2025-06-20
URL	http://xdm.source.process.name	—	2025-06-20
URL	http://xdm.target.process.name	—	2025-06-20
URL	https://bts.process.name	—	2025-06-20
URL	https://bts.process.name/	—	2025-06-20
URL	https://eventhub.header.process.name	—	2025-06-20
URL	https://prosrm.service.process.name	—	2025-06-20
URL	https://src.process.name/	—	2025-06-20
URL	https://target.process.name	—	2025-06-20
URL	https://target.process.name/	—	2025-06-20
URL	https://xdm.source.process.name	—	2025-06-20
URL	https://xdm.source.process.name/	—	2025-06-20
URL	https://xdm.target.process.name	—	2025-06-20
URL	https://xdm.target.process.name/	—	2025-06-20
domain	question.name	—	2025-06-20
URL	https://cmbkz8kz1000108k2carjewzf.info/evr.bat/	—	2025-06-20

References (1)

↗ https://www.todyl.com/blog/threat-advisory-lightperlgirl-malware