← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Fake CAPTCHA / ClickFix Chain Using PowerShell, MSHTA, and an Evasive Payload
WHITE mengkuong 2025-12-01 Modified: 2025-12-22
15
IOCs
MEDIUM VOLUME
Key Takeaway: This campaign demonstrates how threat actors are increasingly adopting low-noise execution chains paired with heavily evasive payloads to bypass dynamic analysis and automated detection.
Indicators of Compromise (15)
All FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 ed8c6ff5c9b7195c3e97df6b0893e91bbb0609a97b9edef739612cdec6dcc1cd 2025-12-01
URL https://planb.ph/uploads/settings/journal.dat 2025-12-01
URL https://planb.ph/uploads/toptics/updates/ 2025-12-01
URL https://jquery.nekoweb.org/Imstudio/updates 2025-12-01
URL https://jquery.nekoweb.org/Imstudio/ea34419b706a9bc.zip 2025-12-01
URL http://178.16.54.200/files/7838746815/kM7Tctd.exe 2025-12-01
FileHash-SHA256 69906f4f1c78782ec90ae77e676f7510ff2e9a64fab2426fdf4b8c154a26c5f3 2025-12-01
FileHash-SHA256 113735ee423cef4d9f1feabffd032816f22eea88b3e103332883cc19f1136e21 2025-12-01
FileHash-SHA256 b7df1ca221d8437e9f0efc0ec9e8b52c0aedd050d13c03781146422f44479b74 2025-12-14
FileHash-SHA256 c0e2c3486379820692442f7b416262975c531f750e83b07e5ef3fd259013c2c2 2025-12-14
FileHash-SHA256 8e6fffebb8e1818f118bad8b293c8629fcb171dce19c16466057642efdfb901a 2025-12-14
FileHash-SHA256 7a2df2d39e463fb3bfc81b1fd06a46dcf9c0a47610e79b57ad3760e26c952bce 2025-12-22
FileHash-SHA256 ede901c907b1751c8011d85e4f960dc54f6e152a95da735324f4f21d971cf297 2025-12-22
URL https://planb.ph/uploads/pattern/LMStudioSetup.exe 2025-12-22
domain planb.ph 2025-12-22