Pulse Detail — Threat Intelligence

PULSE NAME

ClickFix-as-a-Service platform with fake Cloudflare CAPTCHA using compromised WordPress sites using a DOM overlay

WHITE dispensight 2026-05-20 Modified: 2026-05-20

105

IOCs

HIGH VOLUME

TLP:GREEN | SL-ADV-2026-WP-001 UNIFIED March 20 – May 19, 2026 ClickFix/TDS cluster active since March 2026. Compromised WordPress sites inject an obfuscated JS loader that fires a synchronous XHR to a TDS C2 (ntdnewtds.shop / dnsnewtds.shop / sdntds.shop), fetches a remote payload, and executes it inline. Victims see a fake Cloudflare CAPTCHA (Shadow DOM, 50-language localized) that silently writes a PowerShell command to clipboard. PS chain: IRM stage1 → IWR stage2 → csc.exe compiles Rozena DLL → svchost injection → DonutLoader C2 (158.94.208.104) → browser/Firefox/crypto wallet credential theft → self-delete. Parallel Python chain (Protected.py) uses direct NT syscalls for EDR bypass. Per-campaign C2 IPs, segmented DonutLoader payloads (my_ / student_), and a 6-domain TDS pool suggest a ClickFix-as-a-Service affiliate platform. 4 JS variants documented March–May 2026. SecureLeaf · Dispensight Security Research · SL-ADV-2026-WP-001 rev. 3.0 STIX 2.1 · 438 objects · 4 variants · 2 execution chains

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1012 T1027 T1036 T1055 T1059 T1082 T1104 T1106 T1140 T1185 T1189 T1195 T1203 T1218 T1485 T1497 T1531 T1539 T1553 T1555 T1564 T1566 T1608

MALWARE FAMILIES

Donutloader TR/Rozena.Gen

Indicators of Compromise (12 / 105 total)

All CIDR FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA1	1389676a4641ef8e3b4790cf06063249d411a692	—	2026-05-20
FileHash-SHA1	39676ea0b0640b4db29d0f93845d702b3784985a	—	2026-05-20
FileHash-SHA1	724a8445c5c3fd57778d82f62b9d4a6112a3bb2d	—	2026-05-20
FileHash-SHA1	750146d79df2f7e02b6895527d982b4de952ab94	—	2026-05-20
FileHash-SHA1	85590cac2455a48ef1231a27dca94294de292b96	—	2026-05-20
FileHash-SHA1	abc92bc7fcb91e4122ebe93c4ea0d35b0e5bbce5	—	2026-05-20
FileHash-SHA1	ca03486f14ec38cd5ed6377fe6f56c1a5713a44a	—	2026-05-20
FileHash-SHA1	d3b68ad3eb88d3db3d843211d4905143c3bff281	SHA1 of 4b77eae349a8cbcea7133cf3640a64ebf1f69d54d8f6469d7be6fdc188ca4ca4	2026-05-20
FileHash-SHA1	dcfb29698a73656e60a329274ecc5833f92517ad	—	2026-05-20
FileHash-SHA1	e221c94adb02cc387bcbf9265c1769f36c59cce5	—	2026-05-20
FileHash-SHA1	f1542a7697e04865e1dfeeed084e5ea5870100f0	—	2026-05-20
FileHash-SHA1	f7836ce43c5f137fdd793d37c0ad3c17ab4ec9f0	—	2026-05-20

References (2)

↗ STIX.json ↗ https://secureleaf.dispensight.com/sink.html