← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command
WHITE Tr1sa111 2026-04-30 Modified: 2026-05-29
12
IOCs
MEDIUM VOLUME
phishinglumma stealerpowershellinformation stealercredential thefthijackloaderdll sideloadinglummastealerclickfix
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
HijackLoader Lumma Stealer - S1213 LummaStealer
Indicators of Compromise (2 / 12 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
URL http://85.11.161.198:6600/qffww8ph/2DTYOKUEN.msi 2026-04-30
URL http://robinhuds.com:9658/ 2026-04-30