{ "type": "Domain", "indicator": "adwwworks.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/adwwworks.com", "alexa": "http://www.alexa.com/siteinfo/adwwworks.com", "indicator": "adwwworks.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4072597960, "indicator": "adwwworks.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68ac163718a6b7c8f0fb4478", "name": "FileFix The Evolved ClickFix.", "description": "In June 2025, the researcher known as MrD0x introduced a new variant of the ClickFix technique called FileFix, which enhances the initial access capabilities used by threat actors. Unlike traditional ClickFix attacks that utilize the Windows Run dialogue, FileFix capitalizes on the File Explorer address bar to execute commands, thereby circumventing detection methods that rely on Run dialogue interactions.\n\nClickFix originated in 2024 and has become a favoured method among various threat actors, including groups TA571 and TA569, as well as multiple initial access brokers. The technique relies heavily on social engineering, requiring users to manually execute malicious code following specific instructions provided on a web page. This direct user engagement is essential for the success of the attack, enabling perpetrators to gain access to targeted systems effectively.", "modified": "2025-09-24T07:05:04.439000", "created": "2025-08-25T07:52:23.112000", "tags": [ "filefix", "clickfix", "mrd0x", "file explorer", "kongtuke", "html code", "run dialogue", "windows run", "windows command", "june", "fakeupdates", "powershell", "clearfake", "execution", "malware", "mintsloader", "stealc", "akira", "rhysida", "monitoring", "apply", "base64", "socghoulish", "url https", "domain", "url http", "file name", "name", "ip address", "sha256", "indicator type", "userprofile", "sha256 http" ], "references": [ "https://www.bridewell.com/insights/blogs/detail/filefix-the-evolved-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "KongTuke", "display_name": "KongTuke", "target": null }, { "id": "FileFix", "display_name": "FileFix", "target": null }, { "id": "SocGhoulish", "display_name": "SocGhoulish", "target": null } ], "attack_ids": [ { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "URL": 66, "domain": 45, "hostname": 3 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "252 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6846ac4df84821ab290af471", "name": "DarkEngine: Unmasking the Sophisticated WordPress Phishing Campaign", "description": "CyberCX has discovered a sophisticated phishing campaign named DarkEngine, which targets users of WP Engine, a managed WordPress hosting platform, and has been active since at least June 2024. The campaign employs SEO poisoning to lure victims to phishing sites mimicking the WP Engine login interface, enabling attackers to steal credentials and gain unauthorized access to WP Engine accounts and their associated WordPress sites. Once compromised, the attackers inject backdoors via malicious plugins and execute harmful JavaScript, affecting over 2,353 unique sites primarily in Australia and New Zealand, while also utilizing techniques like ClickFix to manipulate visitors into executing harmful commands. The operation employs a headless browser automation tool for exploitation, maintaining persistence through various backdoors and SFTP accounts..", "modified": "2025-07-09T09:00:16.142000", "created": "2025-06-09T09:41:33.230000", "tags": [ "injected link", "providers", "injected links", "solutions llp", "bl networks", "limited", "fornex hosting", "cgi global", "smartape ou", "proton66 ooo", "red bytes", "cloudflare", "llc bl", "networks", "prospero ooo", "cybercx", "public" ], "references": [ "https://connect.cybercx.com.au/dark-engine" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 55 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68445797edce3aedea6c7835", "name": "CyberCX & WP Engine Expose Active Exploits: Cloud, Ransomware, and Supply Chain Threats.", "description": "CyberCX and WP Engine\u2019s latest report reveals active cyber threats targeting cloud environments, ransomware operations, and software supply chains. Key findings include:\u2022Exploited Cloud Vulnerabilities: Attackers abusing misconfigurations in AWS, Azure, and SaaS platforms for initial access.\u2022Ransomware-as-a-Service (RaaS) Expansion: New affiliate tactics leading to faster encryption and double extortion.\u2022Software Supply Chain Compromises: Malicious code injections in third-party vendor updates, enabling silent backdoors.", "modified": "2025-07-07T15:00:14.692000", "created": "2025-06-07T15:15:35.855000", "tags": [], "references": [ "https://storage.pardot.com/1069042/1748905703CCn8f7sn/CyberCX___WP_Engine_Report.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "domain": 56, "hostname": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://connect.cybercx.com.au/dark-engine", "https://www.bridewell.com/insights/blogs/detail/filefix-the-evolved-clickfix", "https://storage.pardot.com/1069042/1748905703CCn8f7sn/CyberCX___WP_Engine_Report.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Filefix", "Kongtuke", "Socghoulish", "Base64" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68ac163718a6b7c8f0fb4478", "name": "FileFix The Evolved ClickFix.", "description": "In June 2025, the researcher known as MrD0x introduced a new variant of the ClickFix technique called FileFix, which enhances the initial access capabilities used by threat actors. Unlike traditional ClickFix attacks that utilize the Windows Run dialogue, FileFix capitalizes on the File Explorer address bar to execute commands, thereby circumventing detection methods that rely on Run dialogue interactions.\n\nClickFix originated in 2024 and has become a favoured method among various threat actors, including groups TA571 and TA569, as well as multiple initial access brokers. The technique relies heavily on social engineering, requiring users to manually execute malicious code following specific instructions provided on a web page. This direct user engagement is essential for the success of the attack, enabling perpetrators to gain access to targeted systems effectively.", "modified": "2025-09-24T07:05:04.439000", "created": "2025-08-25T07:52:23.112000", "tags": [ "filefix", "clickfix", "mrd0x", "file explorer", "kongtuke", "html code", "run dialogue", "windows run", "windows command", "june", "fakeupdates", "powershell", "clearfake", "execution", "malware", "mintsloader", "stealc", "akira", "rhysida", "monitoring", "apply", "base64", "socghoulish", "url https", "domain", "url http", "file name", "name", "ip address", "sha256", "indicator type", "userprofile", "sha256 http" ], "references": [ "https://www.bridewell.com/insights/blogs/detail/filefix-the-evolved-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "KongTuke", "display_name": "KongTuke", "target": null }, { "id": "FileFix", "display_name": "FileFix", "target": null }, { "id": "SocGhoulish", "display_name": "SocGhoulish", "target": null } ], "attack_ids": [ { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "URL": 66, "domain": 45, "hostname": 3 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "252 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6846ac4df84821ab290af471", "name": "DarkEngine: Unmasking the Sophisticated WordPress Phishing Campaign", "description": "CyberCX has discovered a sophisticated phishing campaign named DarkEngine, which targets users of WP Engine, a managed WordPress hosting platform, and has been active since at least June 2024. The campaign employs SEO poisoning to lure victims to phishing sites mimicking the WP Engine login interface, enabling attackers to steal credentials and gain unauthorized access to WP Engine accounts and their associated WordPress sites. Once compromised, the attackers inject backdoors via malicious plugins and execute harmful JavaScript, affecting over 2,353 unique sites primarily in Australia and New Zealand, while also utilizing techniques like ClickFix to manipulate visitors into executing harmful commands. The operation employs a headless browser automation tool for exploitation, maintaining persistence through various backdoors and SFTP accounts..", "modified": "2025-07-09T09:00:16.142000", "created": "2025-06-09T09:41:33.230000", "tags": [ "injected link", "providers", "injected links", "solutions llp", "bl networks", "limited", "fornex hosting", "cgi global", "smartape ou", "proton66 ooo", "red bytes", "cloudflare", "llc bl", "networks", "prospero ooo", "cybercx", "public" ], "references": [ "https://connect.cybercx.com.au/dark-engine" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 55 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68445797edce3aedea6c7835", "name": "CyberCX & WP Engine Expose Active Exploits: Cloud, Ransomware, and Supply Chain Threats.", "description": "CyberCX and WP Engine\u2019s latest report reveals active cyber threats targeting cloud environments, ransomware operations, and software supply chains. Key findings include:\u2022Exploited Cloud Vulnerabilities: Attackers abusing misconfigurations in AWS, Azure, and SaaS platforms for initial access.\u2022Ransomware-as-a-Service (RaaS) Expansion: New affiliate tactics leading to faster encryption and double extortion.\u2022Software Supply Chain Compromises: Malicious code injections in third-party vendor updates, enabling silent backdoors.", "modified": "2025-07-07T15:00:14.692000", "created": "2025-06-07T15:15:35.855000", "tags": [], "references": [ "https://storage.pardot.com/1069042/1748905703CCn8f7sn/CyberCX___WP_Engine_Report.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "domain": 56, "hostname": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "adwwworks.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "adwwworks.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780506192.8257916 }