← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
ClickFix: YARA Rules Catch What AV Misses
WHITE PetrP.73 2026-05-08 Modified: 2026-05-08
7
IOCs
LOW VOLUME
The ClickFix cyber threat has emerged as a significant attack vector during 2024 and 2025, characterized by its exploitation of social engineering rather than software vulnerabilities. In this attack, victims are directed to fraudulent websites that pose as CAPTCHA or document verification pages. They are instructed to open the Run dialog in Windows and paste a command that the website has generated and copied to their clipboard. This command typically runs a malicious PowerShell script directly in memory, thus evading traditional security measures by operating without touching the disk in a detectable manner.
clickfixyara rulepowershellhtml sourcecaptcha pagerun dialogyaraurlsmarchhtmlbypassverifyutf-16 base64
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
ClickFix
Indicators of Compromise (7)
All URL YARA domain
TYPEINDICATORDESCRIPTIONCREATED
URL http://authone-drive.online/client.bat 2026-05-08
URL http://portal-idos.network/auth?xc=1150125 2026-05-08
URL https://authone-drive.online/client.bat\' 2026-05-08
URL https://portal-idos.network/auth?xc=1150125 2026-05-08
YARA daac1825d3fb6a20053da4b7b5f1fa38f1503835 Detects ClickFix HTML pages that trick users into copying and pasting malicious PowerShell via fake Captcha/Verification instructions. 2026-05-08
domain authone-drive.online 2026-05-08
domain portal-idos.network 2026-05-08
References (1)
↗ https://www.reversinglabs.com/blog/clickfix-yara-rule