← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command
WHITE Tr1sa111 2026-04-30 Modified: 2026-05-29
12
IOCs
MEDIUM VOLUME
phishinglumma stealerpowershellinformation stealercredential thefthijackloaderdll sideloadinglummastealerclickfix
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
HijackLoader Lumma Stealer - S1213 LummaStealer
Indicators of Compromise (12)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 b07a03883675654088a2b56a80933ca8 2026-04-30
FileHash-MD5 b6a201726b44106a7dbe93a480b38420 2026-04-30
FileHash-MD5 fa1f2ac9172702ad10c24f0a637c26cd 2026-04-30
FileHash-SHA1 10dfd71cf61ea3c1621a5b0c08c3b034773fb84b 2026-04-30
FileHash-SHA1 7450731c0baf5befb79966a6be7873a5b1a62a7a 2026-04-30
FileHash-SHA1 b374d1715148bc80394b844d9f008adfa5585d65 2026-04-30
FileHash-SHA256 818daf975f78ac30ba4ce0fdd2f7eb550cdc16701da35594e8c9cba72bc84a5c 2026-04-30
FileHash-SHA256 c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728 2026-04-30
FileHash-SHA256 f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc 2026-04-30
URL http://85.11.161.198:6600/qffww8ph/2DTYOKUEN.msi 2026-04-30
URL http://robinhuds.com:9658/ 2026-04-30
domain robinhuds.com 2026-04-30