← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic
WHITE PetrP.73 2026-01-30 Modified: 2026-03-01
140
IOCs
HIGH VOLUME
In November 2025, threat analysts from Sekoia TDR discovered a malware distribution campaign targeting WordPress websites using a social engineering tactic known as ClickFix, facilitated through a Traffic Distribution System (TDS). This campaign primarily employed watering hole attacks, wherein legitimate websites are compromised to lure victims into executing malicious commands. Sekoia TDR implemented an advanced detection capability to identify these watering hole attacks, utilizing generic YARA rules to scan for compromised web pages featuring the ClickFix tactic. These rules are based on specific keywords, resource patterns, and JavaScript functions associated with the tactic's implementation.
wordpressiclickfixclickfixjavascriptnetsupport ratclickfix lurefebruarydecembernovemberclearfakeloadercodeadventelementorxfilesnetsupport
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
ClickFix
Indicators of Compromise (13 / 140 total)
All domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://141.98.11.175/fakeurl.htm 2026-01-30
URL http://83.222.190.174:443/fakeurl.html 2026-01-30
URL http://85.208.84.35:443/fakeurl.htm 2026-01-30
URL http://fnotusykakimao.com:443 2026-01-30
URL http://pusykakimao.com:443 2026-01-30
URL http://scottvmorton.com/tytuy.json' 2026-01-30
URL https://bestieslos.com/over.js 2026-01-30
URL https://booksbypatriciaschultz.com/liner.php 2026-01-30
URL https://ksdkgsdkgkgmgm.pro/ofofo.js 2026-01-30
URL https://ksfldfklskdmbxcvb.com/- 2026-01-30
URL https://ksfldfklskdmbxcvb.com/admin/ 2026-01-30
URL https://ksfldfklskdmbxcvb.com/gigi?ts=1765169670 2026-01-30
URL https://ototaikfffkf.com/fffa.js 2026-01-30
References (1)
↗ https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/