← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Fake CAPTCHA Campaign: Inside a Multi-Stage Stealer Assault
WHITE celestre 2026-03-24 Modified: 2026-04-23
55
IOCs
HIGH VOLUME
This report expands LevelBlue’s ongoing investigation into a multi-stage fileless malware campaign in which a network of compromised legitimate websites redirects victims to fake CAPTCHA verification pages delivering credential-stealing payloads through a ClickFix social engineering mechanism.
donutloadersha256familyaura stealervidarstealerrhadamanthysdomaintypeindicatorclickfixmalwarehttpsdead dropresolver
Indicators of Compromise (55)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain URL hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 581c6dd57a0af1cead86257f89d571bb MD5 of 807d050db2f7f0d1073096d47c6835ab6806744e64fa17cd7d80c138fa2c5783 2026-03-24
FileHash-MD5 727c9fcd1d8a4a6e42eee33a22564de1 MD5 of aa8eb05991e26c4aafc6a36e7fa8439b1594e0c8bf2ca63dbc961b6ffdcbc5ba 2026-03-24
FileHash-MD5 7cf1f49eb43e0e392f19cd1108b308dc MD5 of 510b45e5977b671a550e466dd2ffde4e5dbd51a13d4075a6720388833ee33d9f 2026-03-24
FileHash-MD5 853e83733d064e51ba5addf1471b6e02 MD5 of 324a4f52861de5693c3749706969dfa8f65236338a53cdd489437f8b3d167d63 2026-03-24
FileHash-MD5 c85fec39496b41e5f61aa724dfdc12d5 MD5 of 5b005fbeb63d8bc0fd3090898aafc87d33f4b4032f9a9379e2b519307616e8c5 2026-03-24
FileHash-MD5 ce223670524974b51445c29a61491712 MD5 of 701f5f9fe2a386456622ae19164990084df41e789c826e45fb56a2f5a4596036 2026-03-24
FileHash-MD5 f8a9cf442344f7a767584e7b57eca62c MD5 of cc8c18bcd2c83b46518840c6966dd0f14b0e46c6f49a04e47aa13bca70b2e733 2026-03-24
FileHash-SHA1 48d0da40f92438cc42d585e0a0615edb57e954e4 SHA1 of 324a4f52861de5693c3749706969dfa8f65236338a53cdd489437f8b3d167d63 2026-03-24
FileHash-SHA1 5782f88d312c7b51e50cce65a588a56cb791ac8a SHA1 of 807d050db2f7f0d1073096d47c6835ab6806744e64fa17cd7d80c138fa2c5783 2026-03-24
FileHash-SHA1 68e56e8bce49a2bf3dccd448d6fe1ae3712243b1 SHA1 of 510b45e5977b671a550e466dd2ffde4e5dbd51a13d4075a6720388833ee33d9f 2026-03-24
FileHash-SHA1 8ac09bc50dd2502a7e0cbba76c4a607cc925da2a SHA1 of 701f5f9fe2a386456622ae19164990084df41e789c826e45fb56a2f5a4596036 2026-03-24
FileHash-SHA1 b85a24f7298fd7d0df336f92d2404798b1c3c970 SHA1 of 5b005fbeb63d8bc0fd3090898aafc87d33f4b4032f9a9379e2b519307616e8c5 2026-03-24
FileHash-SHA1 c54581cdc7d29794f02f9b906772ca5bc0b30e7a SHA1 of aa8eb05991e26c4aafc6a36e7fa8439b1594e0c8bf2ca63dbc961b6ffdcbc5ba 2026-03-24
FileHash-SHA1 ede73d0ab98113cb2073cb00b58e46ae626a7d4a SHA1 of cc8c18bcd2c83b46518840c6966dd0f14b0e46c6f49a04e47aa13bca70b2e733 2026-03-24
FileHash-SHA256 255b35bc92923f1b1376484a659c76556200ea6988b6bb2cccb130b38e5d026b 2026-03-24
FileHash-SHA256 324a4f52861de5693c3749706969dfa8f65236338a53cdd489437f8b3d167d63 2026-03-24
FileHash-SHA256 510b45e5977b671a550e466dd2ffde4e5dbd51a13d4075a6720388833ee33d9f 2026-03-24
FileHash-SHA256 5b005fbeb63d8bc0fd3090898aafc87d33f4b4032f9a9379e2b519307616e8c5 2026-03-24
FileHash-SHA256 701f5f9fe2a386456622ae19164990084df41e789c826e45fb56a2f5a4596036 2026-03-24
FileHash-SHA256 807d050db2f7f0d1073096d47c6835ab6806744e64fa17cd7d80c138fa2c5783 2026-03-24
FileHash-SHA256 89400f1c95cdb0079c33587753cb65db51ecbed0310e4502d659203f43809593 2026-03-24
FileHash-SHA256 aa8eb05991e26c4aafc6a36e7fa8439b1594e0c8bf2ca63dbc961b6ffdcbc5ba 2026-03-24
FileHash-SHA256 b28e3e5f8395705cfcba779db53125f54a8802a822c2108440ac3c86c961bffe 2026-03-24
FileHash-SHA256 cc8c18bcd2c83b46518840c6966dd0f14b0e46c6f49a04e47aa13bca70b2e733 2026-03-24
domain captioto.com 2026-03-24
domain captoolsz.com 2026-03-24
domain cptoptious.com 2026-03-24
domain namzcp.org 2026-03-24
domain vision-clouds.org 2026-03-24
URL https://mushub.cfd 2026-03-24
URL https://searchservice.cfd 2026-03-24
domain mushub.cfd 2026-03-24
domain searchservice.cfd 2026-03-24
URL https://cki.yago.fun 2026-03-24
URL https://d2d.agfoodpos.com 2026-03-24
URL https://hrm.yago.fun 2026-03-24
URL https://jth.yago.fun 2026-03-24
URL https://cki.sodstreams.com 2026-03-24
URL https://ddy.yago.fun 2026-03-24
URL https://lat.sodstreams.com d465172175d35d493fb1633e237700022bd849fa123164790b168b8318acb090 2026-03-24
URL https://stm.agfoodpos.com 2026-03-24
URL https://stm.alipico.com 2026-03-24
URL https://zak.agfoodpos.com 2026-03-24
hostname cki.sodstreams.com 2026-03-24
hostname cki.yago.fun 2026-03-24
hostname d2d.agfoodpos.com 2026-03-24
hostname ddy.yago.fun 2026-03-24
hostname hrm.yago.fun 2026-03-24
hostname jth.yago.fun 2026-03-24
hostname lat.sodstreams.com 2026-03-24
hostname stm.agfoodpos.com 2026-03-24
hostname stm.alipico.com 2026-03-24
hostname zak.agfoodpos.com 2026-03-24
URL https://107.150.0.79/ 2026-03-24
URL https://91.92.241.235/ 2026-03-24
References (1)
↗ https://www.levelblue.com/blogs/spiderlabs-blog/fake-captcha-campaign-inside-a-multi-stage-stealer-assault