← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
ClickFix-style commands disguised as tech tips across social media platforms and beyond
WHITE PetrP.73 2026-04-17 Modified: 2026-04-17
29
IOCs
MEDIUM VOLUME
ClickFix-style attacks have emerged as a significant cyber threat, exploiting social media and video content to deliver malware effectively. These attacks prompt unsuspecting victims to execute seemingly harmless commands on their machines, which initiates a chain of malicious activities resulting in the installation of malware, most notably the Vidar information stealer. In a case investigated by WithSecure's Managed Detection and Response team, this method was demonstrated when a corporate endpoint executed a ClickFix command disguised as a tech tip, compromising the system.
researchblog postmalwarewithsecure threat intelligence teamdomain namesha256withsecureclickfixgoogle searchusernameinstagram userjavascriptstingrfacebookpowershellvidarfebruarydefenderstealcps2exemarkcontact
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
ClickFix Vidar
Indicators of Compromise (29)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0205b1b8c5564acfb55991eeb19bce58 MD5 of 6d897b5661aa438a96ac8695c54b7c4f3a1fbf1b628c8d2011e50864860c6b23 2026-04-17
FileHash-MD5 3ba045cbe9734967ff33e8c18d5cf9f8 MD5 of c9d98eaf38adb0bc078d8c197aebd4ddb9221a4d4833578ef6170252a2cf4398 2026-04-17
FileHash-MD5 74feaad63959f3266753f8f6e753af41 MD5 of 789284801ce260e1b5d0b1f1eca2aedcab472f5ccb8b8cfc89a1f8134bdc416c 2026-04-17
FileHash-SHA1 680b50da1cba2061ed2f3fa6b717e49ab0310176 SHA1 of 789284801ce260e1b5d0b1f1eca2aedcab472f5ccb8b8cfc89a1f8134bdc416c 2026-04-17
FileHash-SHA1 6e78657fa6f48b2ad16c72207cba9c2205f1ba48 SHA1 of c9d98eaf38adb0bc078d8c197aebd4ddb9221a4d4833578ef6170252a2cf4398 2026-04-17
FileHash-SHA1 e295d4740de0db39f1a286bcff416c28530524a7 SHA1 of 6d897b5661aa438a96ac8695c54b7c4f3a1fbf1b628c8d2011e50864860c6b23 2026-04-17
FileHash-SHA256 39fcc9afc49b0db1a260f022d2277754f24d0ce0d78bb2a6acf0b48820f6a155 2026-04-17
FileHash-SHA256 4ab7f5af2f965d71bf4804e9c2fd8907fbfa61477c8b796fb52ad9780c490df7 2026-04-17
FileHash-SHA256 6d897b5661aa438a96ac8695c54b7c4f3a1fbf1b628c8d2011e50864860c6b23 2026-04-17
FileHash-SHA256 789284801ce260e1b5d0b1f1eca2aedcab472f5ccb8b8cfc89a1f8134bdc416c 2026-04-17
FileHash-SHA256 792bf3c09a9c5b356b1d80e2ae4e4aff2ac928cb559221f3411f25bfdeca275a 2026-04-17
FileHash-SHA256 81cadd9f24233803a201e3dacbe247db80aae5e038e2002118102a0f6c8b8243 2026-04-17
FileHash-SHA256 c9d98eaf38adb0bc078d8c197aebd4ddb9221a4d4833578ef6170252a2cf4398 2026-04-17
FileHash-SHA256 f2bddc0a8ddc8ad2bfe602d52b3e80c644eb74feae7c34d7b02e0f771f2ae0a4 2026-04-17
domain activator.tools 2026-04-17
domain activepro.cc 2026-04-17
domain debloat.dev 2026-04-17
domain jacrcell.com 2026-04-17
domain keytool.cc 2026-04-17
domain msact.run 2026-04-17
domain msauth.cc 2026-04-17
domain msauth.in 2026-04-17
domain msget.run 2026-04-17
domain ravenfootballclub.com 2026-04-17
domain slmgr.win 2026-04-17
domain slmgr.ws 2026-04-17
domain tmopgm.org.ng 2026-04-17
domain tranquilityparadise.com.np 2026-04-17
domain wslm.net 2026-04-17
References (1)
↗ https://labs.withsecure.com/publications/clickfix-social-media