[
  {
    "id": 4348864669,
    "indicator": "http://authone-drive.online/client.bat",
    "type": "URL",
    "created": "2026-05-08T11:43:19",
    "content": "",
    "title": "",
    "description": "",
    "expiration": null,
    "is_active": 1
  },
  {
    "id": 4348864670,
    "indicator": "http://portal-idos.network/auth?xc=1150125",
    "type": "URL",
    "created": "2026-05-08T11:43:19",
    "content": "",
    "title": "",
    "description": "",
    "expiration": null,
    "is_active": 1
  },
  {
    "id": 4348864671,
    "indicator": "https://authone-drive.online/client.bat\\'",
    "type": "URL",
    "created": "2026-05-08T11:43:19",
    "content": "",
    "title": "",
    "description": "",
    "expiration": null,
    "is_active": 1
  },
  {
    "id": 4348864672,
    "indicator": "https://portal-idos.network/auth?xc=1150125",
    "type": "URL",
    "created": "2026-05-08T11:43:19",
    "content": "",
    "title": "",
    "description": "",
    "expiration": null,
    "is_active": 1
  },
  {
    "id": 4348864673,
    "indicator": "daac1825d3fb6a20053da4b7b5f1fa38f1503835",
    "type": "YARA",
    "created": "2026-05-08T11:43:19",
    "content": "rule Detect_ClickFix_FakeCaptcha_PowerShell {   \n      \n       meta:   \n           description = \"Detects ClickFix HTML pages that trick users into copying and pasting malicious PowerShell via fake Captcha/Verification instructions.\"   \n           author = \"Toni_Dujmovic\"   \n           date = \"2026-03-18\"   \n      \n       strings:   \n           // 1. Social Engineering / Instruction Text   \n           $se_win_key = \"Windows Key\" ascii wide nocase   \n           $se_cmd = \"cmd\" ascii wide nocase fullword   \n           $se_paste = \"Ctrl + V\" ascii wide nocase   \n      \n           // 2. Fake Verification Context   \n           $ctx_robot = \"not a robot\" ascii wide nocase   \n           $ctx_verify = \"Verification Steps\" ascii wide nocase   \n           $ctx_recaptcha = \"reCAPTCHA\" ascii wide nocase   \n      \n           // 3. Malicious Payload Indicators (PowerShell)   \n           $ps_base = \"powershell\" ascii wide nocase   \n           $ps_bypass = \"Bypass\" ascii wide nocase   \n           $ps_nop = \"-NoP\" ascii wide nocase   \n           $ps_noni = \"-NonI\" ascii wide nocase   \n      \n           // 4. Clipboard Manipulation Logic   \n           $js_copy_1 = \"document.execCommand('copy')\" ascii wide nocase   \n           $js_copy_2 = \"navigator.clipboard.writeText\" ascii wide nocase   \n      \n       condition:   \n      \n           // Size limit: under 400KB   \n           filesize < 400KB and   \n           (2 of ($se_*)) and (2 of ($ctx_*)) and (2 of ($ps_*)) and (any of ($js_copy_*))   \n   }",
    "title": "",
    "description": "Detects ClickFix HTML pages that trick users into copying and pasting malicious PowerShell via fake Captcha/Verification instructions.",
    "expiration": null,
    "is_active": 1
  },
  {
    "id": 4143416510,
    "indicator": "authone-drive.online",
    "type": "domain",
    "created": "2026-05-08T11:43:19",
    "content": "",
    "title": "",
    "description": "",
    "expiration": null,
    "is_active": 1
  },
  {
    "id": 4266980153,
    "indicator": "portal-idos.network",
    "type": "domain",
    "created": "2026-05-08T11:43:19",
    "content": "",
    "title": "",
    "description": "",
    "expiration": null,
    "is_active": 1
  }
]