← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
HellsUchecker: ClickFix to blockchain-backed backdoor
WHITE PetrP.73 2026-03-18 Modified: 2026-04-17
36
IOCs
MEDIUM VOLUME
HellsUchecker is a sophisticated native x64 backdoor, measuring 28 KB, known for its complex 10-stage attack chain that begins with a deceptive ClickFix lure, resembling a Cloudflare CAPTCHA, and culminates in a memory-resident payload that communicates with its command and control (C2) server over HTTPS. The initial stage directs victims to a phishing page, http://h01-captcha.sbs, which replicates a legitimate CAPTCHA interface. Upon interaction, it prompts users to execute a malicious command line, facilitated by a clipboard payload that runs the legitimate Windows utility "finger.exe" on port 79. This utility fetches malicious commands hidden in a crafted .plan file from a malicious server. The payload then employs a series of instructions to disable the desktop's explorer.exe, download a legitimate Python embed package disguised as a PDF, and execute a secondary payload via a base64-encoded script.
backdoorblockchainetherhidingmalwarereverseengineeringclickfixapismsbuilddomain grouppeb walkpythonwinhttppe loaderc2 serverhellsmart contractgateavalanchefebruaryaugustvirustotalsandboxukrainebelarusarmeniasyscallcleanupshellcodedateapachehostsglobal domainamosnistwebcacheodysseykasperskykeccak256ethereumhellsucheckereazfuscator
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
HellsUchecker
Indicators of Compromise (36)
All FileHash-MD5 FileHash-SHA256 URL domain email hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 3eaa961afb33be5dcf49f1a4623f432a 2026-03-18
FileHash-MD5 ebbb51646cbfaf537b54de3ef18dfee2 2026-03-18
FileHash-MD5 f4ff8583fca7caff05be694ac8cce8aa 2026-03-18
FileHash-MD5 ffb1f4cfd452abaa17b93422dcc26ebf 2026-03-18
FileHash-SHA256 2b6273d63ec822621bbefdf723ec8182494e648e2ae1215359c090b491667249 2026-03-18
FileHash-SHA256 6373eec0482f5b98f127967135937fca60e5a497befb51cb1267fa402063095d 2026-03-18
FileHash-SHA256 980a0ab9b888df0fedcf2c8cdd175e4b97488fddbcb6713234c09d2ec5f978c1 2026-03-18
FileHash-SHA256 b1f1ee50095631abce5121f234abc60a64e458fec395b61362f51ae7c437a2c2 2026-03-18
FileHash-SHA256 dcf5e6b4c75c50010d79ba3c451de49f433b7f7b7138013c60b1fa168441399c 2026-03-18
URL http://129.0.0.0 2026-03-18
URL http://finger.cldvrfd.click:79 2026-03-18
URL http://rec.allthe.site/chk 2026-03-18
URL http://vrf.cldvrfd.click/u323245/local3.txt' 2026-03-18
URL https://more-arpc.icu 2026-03-18
URL https://rec.allthe.site/chk 2026-03-18
URL https://rpcsecnoweb.pro 2026-03-18
domain acchimneyservices.cfd 2026-03-18
domain allthe.site 2026-03-18
domain cldvrfd.click 2026-03-18
domain dns-parking.com 2026-03-18
domain h01-captcha.sbs 2026-03-18
domain more-arpc.icu 2026-03-18
domain rpcsecnoweb.pro 2026-03-18
domain sobeautyrebel.cfd 2026-03-18
email xdsfeerdfbn@finger.cldvrfd.click 2026-03-18
hostname bat.agent.br 2026-03-18
hostname cl.allthe.site 2026-03-18
hostname cmd.allthe.site 2026-03-18
hostname finger.cldvrfd.click 2026-03-18
hostname nnp0.allthe.site 2026-03-18
hostname on.cldvrfd.click 2026-03-18
hostname panel.allthe.site 2026-03-18
hostname pnn.allthe.site 2026-03-18
hostname rec.allthe.site 2026-03-18
hostname v633689.hosted-by-vdsina.com 2026-03-18
hostname vrf.cldvrfd.click 2026-03-18
References (1)
↗ https://www.derp.ca/research/hellsuchecker-clickfix-etherhiding/