← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic
WHITE PetrP.73 2026-01-30 Modified: 2026-03-01
140
IOCs
HIGH VOLUME
In November 2025, threat analysts from Sekoia TDR discovered a malware distribution campaign targeting WordPress websites using a social engineering tactic known as ClickFix, facilitated through a Traffic Distribution System (TDS). This campaign primarily employed watering hole attacks, wherein legitimate websites are compromised to lure victims into executing malicious commands. Sekoia TDR implemented an advanced detection capability to identify these watering hole attacks, utilizing generic YARA rules to scan for compromised web pages featuring the ClickFix tactic. These rules are based on specific keywords, resource patterns, and JavaScript functions associated with the tactic's implementation.
wordpressiclickfixclickfixjavascriptnetsupport ratclickfix lurefebruarydecembernovemberclearfakeloadercodeadventelementorxfilesnetsupport
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
ClickFix
Indicators of Compromise (11 / 140 total)
All domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 1d9b5cfcc30436112a7e31d5e4624f52e845c573 SHA1 of d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368 2026-01-30
FileHash-SHA1 360b61fe19cdc1afb2b34d8c25d8b88a4c843a82 SHA1 of 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b 2026-01-30
FileHash-SHA1 38c171457d160f8a6f26baa668f5c302f6c29cd1 SHA1 of 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269 2026-01-30
FileHash-SHA1 49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a SHA1 of 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689 2026-01-30
FileHash-SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 SHA1 of 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 2026-01-30
FileHash-SHA1 6ad5d9338984c52b37f2176c8ae4ae2366a7fd25 SHA1 of b11380f81b0a704e8c7e84e8a37885f5879d12fbece311813a41992b3e9787f2 2026-01-30
FileHash-SHA1 98dd757e1c1fa8b5605bda892aa0b82ebefa1f07 SHA1 of 06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268 2026-01-30
FileHash-SHA1 cd7d6a571d58ff9bd6a411f98a205c43b9a34da2 SHA1 of 83a6feb6304effcd258129e5d46f484e4c34c1cce1ea0c32a94a89283ccd24f9 2026-01-30
FileHash-SHA1 ea841199baa7307280fc9e4688ac75e5624f2181 SHA1 of 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f 2026-01-30
FileHash-SHA1 f40a5efcb9dee679de22658c6f95c7e9c0f2f0c0 SHA1 of 2cc8ebea55c06981625397b04575ed0eaad9bb9f9dc896355c011a62febe49b5 2026-01-30
FileHash-SHA1 fc5b325d433cde797f6ad0d8b1305d6fb16d4e34 SHA1 of b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80 2026-01-30
References (1)
↗ https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/