← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic
In November 2025, threat analysts from Sekoia TDR discovered a malware distribution campaign targeting WordPress websites using a social engineering tactic known as ClickFix, facilitated through a Traffic Distribution System (TDS). This campaign primarily employed watering hole attacks, wherein legitimate websites are compromised to lure victims into executing malicious commands.
Sekoia TDR implemented an advanced detection capability to identify these watering hole attacks, utilizing generic YARA rules to scan for compromised web pages featuring the ClickFix tactic. These rules are based on specific keywords, resource patterns, and JavaScript functions associated with the tactic's implementation.
MITRE ATT&CK & Malware Families
Indicators of Compromise (140)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | foundationasdasd.com | — | 2026-01-30 | |
| FileHash-MD5 | 051cdb6ac8e168d178e35489b6da4c74 | MD5 of 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269 | 2026-01-30 | |
| FileHash-MD5 | 0e37fbfa79d349d672456923ec5fbbe3 | MD5 of 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 | 2026-01-30 | |
| FileHash-MD5 | 14ca8f4ee0dd828ecfd0c566dce00f06 | MD5 of 83a6feb6304effcd258129e5d46f484e4c34c1cce1ea0c32a94a89283ccd24f9 | 2026-01-30 | |
| FileHash-MD5 | 26e28c01461f7e65c402bdf09923d435 | MD5 of d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 | 2026-01-30 | |
| FileHash-MD5 | 3aabcd7c81425b3b9327a2bf643251c6 | MD5 of 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f | 2026-01-30 | |
| FileHash-MD5 | 3be27483fdcdbf9ebae93234785235e3 | MD5 of 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b | 2026-01-30 | |
| FileHash-MD5 | 5be6fb8f28544d4f83c25a2b76ff7890 | MD5 of b11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2 | 2026-01-30 | |
| FileHash-MD5 | 67c53a770390e8c038060a1921c20da9 | MD5 of 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689 | 2026-01-30 | |
| FileHash-MD5 | 7629af8099b76f85d37b3802041503ee | MD5 of 2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5 | 2026-01-30 | |
| FileHash-MD5 | e7b92529ea10176fe35ba73fa4edef74 | MD5 of b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80 | 2026-01-30 | |
| FileHash-MD5 | ee75b57b9300aab96530503bfae8a2f2 | MD5 of 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268 | 2026-01-30 | |
| FileHash-SHA1 | 1d9b5cfcc30436112a7e31d5e4624f52e845c573 | SHA1 of d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 | 2026-01-30 | |
| FileHash-SHA1 | 360b61fe19cdc1afb2b34d8c25d8b88a4c843a82 | SHA1 of 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b | 2026-01-30 | |
| FileHash-SHA1 | 38c171457d160f8a6f26baa668f5c302f6c29cd1 | SHA1 of 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269 | 2026-01-30 | |
| FileHash-SHA1 | 49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a | SHA1 of 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689 | 2026-01-30 | |
| FileHash-SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 | SHA1 of 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 | 2026-01-30 | |
| FileHash-SHA1 | 6ad5d9338984c52b37f2176c8ae4ae2366a7fd25 | SHA1 of b11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2 | 2026-01-30 | |
| FileHash-SHA1 | 98dd757e1c1fa8b5605bda892aa0b82ebefa1f07 | SHA1 of 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268 | 2026-01-30 | |
| FileHash-SHA1 | cd7d6a571d58ff9bd6a411f98a205c43b9a34da2 | SHA1 of 83a6feb6304effcd258129e5d46f484e4c34c1cce1ea0c32a94a89283ccd24f9 | 2026-01-30 | |
| FileHash-SHA1 | ea841199baa7307280fc9e4688ac75e5624f2181 | SHA1 of 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f | 2026-01-30 | |
| FileHash-SHA1 | f40a5efcb9dee679de22658c6f95c7e9c0f2f0c0 | SHA1 of 2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5 | 2026-01-30 | |
| FileHash-SHA1 | fc5b325d433cde797f6ad0d8b1305d6fb16d4e34 | SHA1 of b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80 | 2026-01-30 | |
| FileHash-SHA256 | 05b03a25e10535c5c8e2327ee800ff5894f5dbfaf72e3fdcd9901def6f072c6d | — | 2026-01-30 | |
| FileHash-SHA256 | 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268 | — | 2026-01-30 | |
| FileHash-SHA256 | 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f | — | 2026-01-30 | |
| FileHash-SHA256 | 2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5 | — | 2026-01-30 | |
| FileHash-SHA256 | 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689 | — | 2026-01-30 | |
| FileHash-SHA256 | 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b | — | 2026-01-30 | |
| FileHash-SHA256 | 62f7a444ab0c645f20c7dc6340c3eaaad7ef033b2188c3e5123406762990c517 | — | 2026-01-30 | |
| FileHash-SHA256 | 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269 | — | 2026-01-30 | |
| FileHash-SHA256 | 6846bc236bd2095fbf93f8b31dd4ca0798614fcab20fbd2ecac6cc7f431c6dec | — | 2026-01-30 | |
| FileHash-SHA256 | 83a6feb6304effcd258129e5d46f484e4c34c1cce1ea0c32a94a89283ccd24f9 | — | 2026-01-30 | |
| FileHash-SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 | — | 2026-01-30 | |
| FileHash-SHA256 | b11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2 | — | 2026-01-30 | |
| FileHash-SHA256 | b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80 | — | 2026-01-30 | |
| FileHash-SHA256 | d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 | — | 2026-01-30 | |
| FileHash-SHA256 | e0ed36c897eaa5352fab181c20020b60df4c58986193d6aaf5bf3e3ecdc4c05d | — | 2026-01-30 | |
| URL | http://141.98.11.175/fakeurl.htm | — | 2026-01-30 | |
| URL | http://83.222.190.174:443/fakeurl.html | — | 2026-01-30 | |
| URL | http://85.208.84.35:443/fakeurl.htm | — | 2026-01-30 | |
| URL | http://fnotusykakimao.com:443 | — | 2026-01-30 | |
| URL | http://pusykakimao.com:443 | — | 2026-01-30 | |
| URL | http://scottvmorton.com/tytuy.json' | — | 2026-01-30 | |
| URL | https://bestieslos.com/over.js | — | 2026-01-30 | |
| URL | https://booksbypatriciaschultz.com/liner.php | — | 2026-01-30 | |
| URL | https://ksdkgsdkgkgmgm.pro/ofofo.js | — | 2026-01-30 | |
| URL | https://ksfldfklskdmbxcvb.com/- | — | 2026-01-30 | |
| URL | https://ksfldfklskdmbxcvb.com/admin/ | — | 2026-01-30 | |
| URL | https://ksfldfklskdmbxcvb.com/gigi?ts=1765169670 | — | 2026-01-30 | |
| URL | https://ototaikfffkf.com/fffa.js | — | 2026-01-30 | |
| YARA | 27c4a776680b7cfa16280b8c3cf3e6f5edd3517d | Find WordPress HTML compromised by the IClickFix cluster, that injects the ic-tracker-js HTML tag | 2026-01-30 | |
| YARA | d26141f8db39bbbb05c48e2f3b659a775093f736 | Find the second JavaScript of the IClickFix cluster, that contacts the .php?page= URL to download the ClickFix lure | 2026-01-30 | |
| YARA | cc1fbd7c3f6242fd3b2ff042af856c57e22835ae | Find WordPress HTML compromised by the IClickFix cluster, that injects the ic-tracker-js HTML tag | 2026-01-30 | |
| YARA | ce9195af37e24e20fe74bca13a348f92e28aa0a6 | Find the HTML lure used by the IClickFix cluster, impersonating Cloudflare Turnstile CAPTCHA | 2026-01-30 | |
| YARA | d448b53a0c953d809857c6fe3f561a60a377eb7b | Find the first obfuscated JavaScript of the IClickFix cluster, that contacts the .php?data= URL to download the second JavaScript | 2026-01-30 | |
| YARA | d92f5cd6d068b14e3687fef1aba28b4078bd2fcf | Find the second JavaScript of the IClickFix cluster, that contacts the .php?page= URL to download the ClickFix lure | 2026-01-30 | |
| domain | 1teamintl.com | — | 2026-01-30 | |
| domain | aasdtvcvchcvhhhhh.com | — | 2026-01-30 | |
| domain | abogados-gs.com | — | 2026-01-30 | |
| domain | adventurergsdfjg.com | — | 2026-01-30 | |
| domain | ahpc.gov.gh | — | 2026-01-30 | |
| domain | aksdaitkatktk.com | — | 2026-01-30 | |
| domain | almhdnursing.qa | — | 2026-01-30 | |
| domain | alsokdalsdkals.com | — | 2026-01-30 | |
| domain | appasdmdamsdmasd.com | — | 2026-01-30 | |
| domain | asdaotasktjastmnt.com | — | 2026-01-30 | |
| domain | atmospheredast.com | — | 2026-01-30 | |
| domain | basketballast.com | — | 2026-01-30 | |
| domain | bestiamos.com | — | 2026-01-30 | |
| domain | bestieslos.com | — | 2026-01-30 | |
| domain | blueprintsfdskjhfd.com | — | 2026-01-30 | |
| domain | booksbypatriciaschultz.com | — | 2026-01-30 | |
| domain | caprofklfkzttripwith.com | — | 2026-01-30 | |
| domain | dasdalksdkmasdas.com | — | 2026-01-30 | |
| domain | dasktiitititit.com | — | 2026-01-30 | |
| domain | dasopdoaodoaoaoao.com | — | 2026-01-30 | |
| domain | dhdjisksnsbhssu.com | — | 2026-01-30 | |
| domain | dreamdraftingsydney.com.au | — | 2026-01-30 | |
| domain | ecoawnings.com.au | — | 2026-01-30 | |
| domain | erisaactuarialservices.com | — | 2026-01-30 | |
| domain | fnotusykakimao.com | — | 2026-01-30 | |
| domain | foflfalflafl.com | — | 2026-01-30 | |
| domain | forfsakencoilddxga.com | — | 2026-01-30 | |
| domain | fsdotiototakkaakkal.com | — | 2026-01-30 | |
| domain | fsdtiototoitweot.com | — | 2026-01-30 | |
| domain | generationkasdm.com | — | 2026-01-30 | |
| domain | gerab.bt | — | 2026-01-30 | |
| domain | ikfsdfksldkflsktoq.com | — | 2026-01-30 | |
| domain | ititoiaitoaitoiakkaka.com | — | 2026-01-30 | |
| domain | jairecanoas.com | — | 2026-01-30 | |
| domain | jdaklsjdklajsldkjd.com | — | 2026-01-30 | |
| domain | kalkgmbzfghq.com | — | 2026-01-30 | |
| domain | kdfmmikfkafjikmfikfjhm.com | — | 2026-01-30 | |
| domain | kdkdaosdkalkdkdakd.com | — | 2026-01-30 | |
| domain | ksaitkktkatfl.com | — | 2026-01-30 | |
| domain | ksdkgsdkgkgmgm.pro | — | 2026-01-30 | |
| domain | ksfldfklskdmbxcvb.com | — | 2026-01-30 | |
| domain | lastmychancetoss.com | — | 2026-01-30 | |
| domain | ldasldalsd.com | — | 2026-01-30 | |
| domain | location.host | — | 2026-01-30 | |
| domain | losiposithankyou.com | — | 2026-01-30 | |
| domain | makimakiokina.com | — | 2026-01-30 | |
| domain | medi-care.gr | — | 2026-01-30 | |
| domain | mexicaletta.com.br | — | 2026-01-30 | |
| domain | newgenlosehops.com | — | 2026-01-30 | |
| domain | nightlomsknies.com | — | 2026-01-30 | |
| domain | notlimbobimboa.com | — | 2026-01-30 | |
| domain | notmauserfizko.com | — | 2026-01-30 | |
| domain | ototaikfffkf.com | — | 2026-01-30 | |
| domain | ototoqtklktzlk.com | — | 2026-01-30 | |
| domain | otpnemoyjfh.com | — | 2026-01-30 | |
| domain | overtimeforus.com | — | 2026-01-30 | |
| domain | pisikakimmmad.com | — | 2026-01-30 | |
| domain | pptpooalfkakktl.com | — | 2026-01-30 | |
| domain | pqoqllalll.com | — | 2026-01-30 | |
| domain | pusykakimao.com | — | 2026-01-30 | |
| domain | remarkableaskf.com | — | 2026-01-30 | |
| domain | scottvmorton.com | — | 2026-01-30 | |
| domain | sdfikguoriqoir.cloud | — | 2026-01-30 | |
| domain | serviceverifcaptcho.com | — | 2026-01-30 | |
| domain | sfc-oman.com | — | 2026-01-30 | |
| domain | skldfjgsldkmfgsdfg.com | — | 2026-01-30 | |
| domain | smallfootmyfor.com | — | 2026-01-30 | |
| domain | soinpharmaceuticals.com | — | 2026-01-30 | |
| domain | solpower.com.my | — | 2026-01-30 | |
| domain | stangherlini.com.br | — | 2026-01-30 | |
| domain | talentforth.org | — | 2026-01-30 | |
| domain | tripallmaljok.com | — | 2026-01-30 | |
| domain | undermymindops.com | — | 2026-01-30 | |
| domain | understandott.com | — | 2026-01-30 | |
| domain | universitynsd.com | — | 2026-01-30 | |
| domain | voluntarydasd.com | — | 2026-01-30 | |
| domain | wintars.com | — | 2026-01-30 | |
| domain | xxclglglglklgkxlc.com | — | 2026-01-30 | |
| domain | zmzkdodudhdbdu.com | — | 2026-01-30 | |
| hostname | www.alwanqa.com | — | 2026-01-30 | |
| hostname | www.mitaxi.net | — | 2026-01-30 | |
| hostname | www.raftingsella.com | — | 2026-01-30 | |
| hostname | www.webentangled.com | — | 2026-01-30 |