{ "type": "Domain", "indicator": "atri.live", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/atri.live", "alexa": "http://www.alexa.com/siteinfo/atri.live", "indicator": "atri.live", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4087680294, "indicator": "atri.live", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "686ffe0f30bfbdfa037e4168", "name": "Fix the Click: Preventing the ClickFix Attack Vector", "description": "This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetSupport RAT, Latrodectus, and Lumma Stealer. ClickFix lures often use clipboard hijacking and can bypass standard detection controls. The article provides case studies of recent campaigns, hunting tips for detecting ClickFix infections, and recommendations for proactive defense measures. It emphasizes the importance of user education and implementing robust security controls to mitigate this evolving threat.", "modified": "2025-08-09T17:01:56.158000", "created": "2025-07-10T17:53:19.658000", "tags": [ "latrodectus", "typosquatting", "powershell", "clipboard hijacking", "autoit", "social engineering", "clickfix", "rat", "infostealer", "netsupport rat", "lumma stealer" ], "references": [ "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "High technology", "Financial services", "Manufacturing", "Wholesale and retail", "Government", "Professional and legal services", "Energy", "Healthcare", "Telecommunications", "Automotive" ], "TLP": "white", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 8, "FileHash-SHA256": 21, "domain": 39, "hostname": 5 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 386998, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6870b3d3573b3824d7169a2c", "name": "TTP - Fix the Click Preventing the ClickFix Attack Vector", "description": "\u672c\u6587\u5206\u6790\u4e86\u4e00\u79cd\u540d\u4e3a\u201cClickFix\u201d\u7684\u65b0\u578b\u793e\u4ea4\u5de5\u7a0b\u653b\u51fb\u6280\u672f\u3002\u653b\u51fb\u8005\u901a\u8fc7\u8bf1\u5bfc\u7528\u6237\u5728\u201c\u8fd0\u884c\u201d\uff08Win+R\uff09\u6216\u201c\u7ec8\u7aef\u201d\uff08Win+X\uff09\u4e2d\u7c98\u8d34\u548c\u6267\u884c\u6076\u610f\u547d\u4ee4\uff0c\u5b9e\u73b0\u8fdc\u7a0b\u8bbf\u95ee\u6728\u9a6c\uff08\u5982NetSupport RAT\uff09\u3001\u4fe1\u606f\u7a83\u53d6\u5668\uff08\u5982Lumma Stealer\uff09\u6216\u52a0\u8f7d\u5668\uff08\u5982Latrodectus\uff09\u7684\u90e8\u7f72\u3002\u8fd9\u4e9b\u653b\u51fb\u88ab\u5e7f\u6cdb\u7528\u4e8e\u591a\u4e2a\u884c\u4e1a\uff0c\u5305\u62ec\u80fd\u6e90\u3001\u91d1\u878d\u3001\u5236\u9020\u3001\u96f6\u552e\u548c\u653f\u5e9c\u673a\u6784\u3002ClickFix\u653b\u51fb\u56e0\u7ed5\u8fc7\u5e38\u89c4\u5b89\u5168\u68c0\u6d4b\u624b\u6bb5\u800c\u66f4\u5177\u9690\u853d\u6027\uff0c\u5df2\u6210\u4e3a2025\u5e74\u4e0a\u534a\u5e74\u5e38\u89c1\u7684\u5165\u4fb5\u8def\u5f84\u4e4b\u4e00\u3002\u672c\u6587\u63d0\u4f9b\u4e86\u591a\u4e2a\u771f\u5b9e\u6848\u4f8b\u3001\u68c0\u6d4b\u5efa\u8bae\u53ca\u72e9\u730e\u7b56\u7565\uff0c\u4ee5\u5e2e\u52a9\u7ec4\u7ec7\u8bc6\u522b\u548c\u9632\u5fa1\u6b64\u7c7b\u653b\u51fb\u3002", "modified": "2025-08-09T17:01:56.158000", "created": "2025-07-11T06:48:51.994000", "tags": [ "latrodectus", "typosquatting", "powershell", "clipboard hijacking", "autoit", "social engineering", "clickfix", "rat", "infostealer", "netsupport rat", "lumma stealer" ], "references": [ "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "High technology", "Financial services", "Manufacturing", "Wholesale and retail", "Government", "Professional and legal services", "Energy", "Healthcare", "Telecommunications", "Automotive" ], "TLP": "white", "cloned_from": "686ffe0f30bfbdfa037e4168", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 9, "FileHash-SHA256": 22, "domain": 39, "hostname": 5 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Netsupport rat", "Lumma stealer", "Latrodectus" ], "industries": [ "Healthcare", "Energy", "High technology", "Manufacturing", "Automotive", "Professional and legal services", "Telecommunications", "Government", "Wholesale and retail", "Financial services" ] }, "other": { "adversary": [], "malware_families": [ "Netsupport rat", "Lumma stealer", "Latrodectus" ], "industries": [ "Healthcare", "Energy", "High technology", "Manufacturing", "Automotive", "Professional and legal services", "Telecommunications", "Government", "Wholesale and retail", "Financial services" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "686ffe0f30bfbdfa037e4168", "name": "Fix the Click: Preventing the ClickFix Attack Vector", "description": "This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetSupport RAT, Latrodectus, and Lumma Stealer. ClickFix lures often use clipboard hijacking and can bypass standard detection controls. The article provides case studies of recent campaigns, hunting tips for detecting ClickFix infections, and recommendations for proactive defense measures. It emphasizes the importance of user education and implementing robust security controls to mitigate this evolving threat.", "modified": "2025-08-09T17:01:56.158000", "created": "2025-07-10T17:53:19.658000", "tags": [ "latrodectus", "typosquatting", "powershell", "clipboard hijacking", "autoit", "social engineering", "clickfix", "rat", "infostealer", "netsupport rat", "lumma stealer" ], "references": [ "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "High technology", "Financial services", "Manufacturing", "Wholesale and retail", "Government", "Professional and legal services", "Energy", "Healthcare", "Telecommunications", "Automotive" ], "TLP": "white", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 8, "FileHash-SHA256": 21, "domain": 39, "hostname": 5 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 386998, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6870b3d3573b3824d7169a2c", "name": "TTP - Fix the Click Preventing the ClickFix Attack Vector", "description": "\u672c\u6587\u5206\u6790\u4e86\u4e00\u79cd\u540d\u4e3a\u201cClickFix\u201d\u7684\u65b0\u578b\u793e\u4ea4\u5de5\u7a0b\u653b\u51fb\u6280\u672f\u3002\u653b\u51fb\u8005\u901a\u8fc7\u8bf1\u5bfc\u7528\u6237\u5728\u201c\u8fd0\u884c\u201d\uff08Win+R\uff09\u6216\u201c\u7ec8\u7aef\u201d\uff08Win+X\uff09\u4e2d\u7c98\u8d34\u548c\u6267\u884c\u6076\u610f\u547d\u4ee4\uff0c\u5b9e\u73b0\u8fdc\u7a0b\u8bbf\u95ee\u6728\u9a6c\uff08\u5982NetSupport RAT\uff09\u3001\u4fe1\u606f\u7a83\u53d6\u5668\uff08\u5982Lumma Stealer\uff09\u6216\u52a0\u8f7d\u5668\uff08\u5982Latrodectus\uff09\u7684\u90e8\u7f72\u3002\u8fd9\u4e9b\u653b\u51fb\u88ab\u5e7f\u6cdb\u7528\u4e8e\u591a\u4e2a\u884c\u4e1a\uff0c\u5305\u62ec\u80fd\u6e90\u3001\u91d1\u878d\u3001\u5236\u9020\u3001\u96f6\u552e\u548c\u653f\u5e9c\u673a\u6784\u3002ClickFix\u653b\u51fb\u56e0\u7ed5\u8fc7\u5e38\u89c4\u5b89\u5168\u68c0\u6d4b\u624b\u6bb5\u800c\u66f4\u5177\u9690\u853d\u6027\uff0c\u5df2\u6210\u4e3a2025\u5e74\u4e0a\u534a\u5e74\u5e38\u89c1\u7684\u5165\u4fb5\u8def\u5f84\u4e4b\u4e00\u3002\u672c\u6587\u63d0\u4f9b\u4e86\u591a\u4e2a\u771f\u5b9e\u6848\u4f8b\u3001\u68c0\u6d4b\u5efa\u8bae\u53ca\u72e9\u730e\u7b56\u7565\uff0c\u4ee5\u5e2e\u52a9\u7ec4\u7ec7\u8bc6\u522b\u548c\u9632\u5fa1\u6b64\u7c7b\u653b\u51fb\u3002", "modified": "2025-08-09T17:01:56.158000", "created": "2025-07-11T06:48:51.994000", "tags": [ "latrodectus", "typosquatting", "powershell", "clipboard hijacking", "autoit", "social engineering", "clickfix", "rat", "infostealer", "netsupport rat", "lumma stealer" ], "references": [ "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "High technology", "Financial services", "Manufacturing", "Wholesale and retail", "Government", "Professional and legal services", "Energy", "Healthcare", "Telecommunications", "Automotive" ], "TLP": "white", "cloned_from": "686ffe0f30bfbdfa037e4168", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 9, "FileHash-SHA256": 22, "domain": 39, "hostname": 5 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "atri.live", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "atri.live", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780458096.73516 }