{ "type": "Domain", "indicator": "asmicareer.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/asmicareer.com", "alexa": "http://www.alexa.com/siteinfo/asmicareer.com", "indicator": "asmicareer.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4138507151, "indicator": "asmicareer.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "68e94967bcab143b278f0611", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It includes advanced features such as operating system detection and clipboard injection, enabling low-effort, cross-platform malware deployment.", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-10T17:59:02.682000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": null, "export_count": 105, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 387040, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e9c1d0fd06a823988cd769", "name": "IOC - The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "Attackers are packaging a highly effective social engineering technique known as ClickFix into easy-to-use phishing kits, making it accessible to a wider range of threat actors. This technique tricks victims into bypassing security measures by manually executing malware, typically information stealers and remote access Trojans (RATs). The commoditization of this technique follows the trend of phishing-as-a-service, lowering the skill and effort required to conduct successful attacks.", "modified": "2025-11-10T02:04:42.912000", "created": "2025-10-11T02:32:48.918000", "tags": [ "odyssey", "deerstealer", "ipv4", "malware", "clickfix", "odyssey malware", "ip address", "first seen", "seen malware", "odyssey table" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 18, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68edfc736f1c7651872f4359", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-14T07:32:03.410000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": "68e94967bcab143b278f0611", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e817f0dabc6208c9dd969b", "name": "ClickFix Attacks Were Automated By IUAM ClickFix Generator", "description": ".", "modified": "2025-11-08T20:06:04.056000", "created": "2025-10-09T20:15:44.672000", "tags": [ "odyssey", "deerstealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e774395fed412caea716e4", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator.", "description": "The malicious technique known as ClickFix is being commoditized into easily accessible phishing kits, allowing a broader range of threat actors to utilize it effectively. This social engineering method manipulates users into bypassing security protocols by manually executing malware, which is typically designed for information theft and remote access control. The trend reflects the broader phenomenon of phishing-as-a-service, which reduces the technical expertise required for executing successful attacks. Recent investigations uncovered a phishing kit generator publicly accessible at IP address 38.242.212.5, first detected on July 18, 2025, and operating until early October. Attackers have leveraged this kit to create numerous phishing pages themed around ClickFix, which cleverly mimic browser verification challenges employed by CDN and web security platforms.", "modified": "2025-11-08T08:01:25.309000", "created": "2025-10-09T08:37:13.144000", "tags": [ "odyssey", "deerstealer", "ipv4", "malware", "clickfix", "odyssey malware", "ip address", "first seen", "seen malware", "odyssey table" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 26, "domain": 18, "hostname": 3 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Odyssey", "Deerstealer" ], "industries": [ "Information technology" ] }, "other": { "adversary": [], "malware_families": [ "Odyssey", "Deerstealer" ], "industries": [ "Information technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "68e94967bcab143b278f0611", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It includes advanced features such as operating system detection and clipboard injection, enabling low-effort, cross-platform malware deployment.", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-10T17:59:02.682000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": null, "export_count": 105, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 387040, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e9c1d0fd06a823988cd769", "name": "IOC - The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "Attackers are packaging a highly effective social engineering technique known as ClickFix into easy-to-use phishing kits, making it accessible to a wider range of threat actors. This technique tricks victims into bypassing security measures by manually executing malware, typically information stealers and remote access Trojans (RATs). The commoditization of this technique follows the trend of phishing-as-a-service, lowering the skill and effort required to conduct successful attacks.", "modified": "2025-11-10T02:04:42.912000", "created": "2025-10-11T02:32:48.918000", "tags": [ "odyssey", "deerstealer", "ipv4", "malware", "clickfix", "odyssey malware", "ip address", "first seen", "seen malware", "odyssey table" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 18, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68edfc736f1c7651872f4359", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-14T07:32:03.410000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": "68e94967bcab143b278f0611", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e817f0dabc6208c9dd969b", "name": "ClickFix Attacks Were Automated By IUAM ClickFix Generator", "description": ".", "modified": "2025-11-08T20:06:04.056000", "created": "2025-10-09T20:15:44.672000", "tags": [ "odyssey", "deerstealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e774395fed412caea716e4", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator.", "description": "The malicious technique known as ClickFix is being commoditized into easily accessible phishing kits, allowing a broader range of threat actors to utilize it effectively. This social engineering method manipulates users into bypassing security protocols by manually executing malware, which is typically designed for information theft and remote access control. The trend reflects the broader phenomenon of phishing-as-a-service, which reduces the technical expertise required for executing successful attacks. Recent investigations uncovered a phishing kit generator publicly accessible at IP address 38.242.212.5, first detected on July 18, 2025, and operating until early October. Attackers have leveraged this kit to create numerous phishing pages themed around ClickFix, which cleverly mimic browser verification challenges employed by CDN and web security platforms.", "modified": "2025-11-08T08:01:25.309000", "created": "2025-10-09T08:37:13.144000", "tags": [ "odyssey", "deerstealer", "ipv4", "malware", "clickfix", "odyssey malware", "ip address", "first seen", "seen malware", "odyssey table" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 26, "domain": 18, "hostname": 3 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "asmicareer.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "asmicareer.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780475287.7051883 }