{ "type": "Domain", "indicator": "cookingrt.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cookingrt.com", "alexa": "http://www.alexa.com/siteinfo/cookingrt.com", "indicator": "cookingrt.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4371590136, "indicator": "cookingrt.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6a0d971608b49dfc89267777", "name": "The Evolution of ClickFix: From Cleartext to Server Side Polymorphism", "description": "The ClickFix campaign has evolved from basic disk-based infections to sophisticated, obfuscated attacks using fake CAPTCHA pages that trick victims into executing malicious PowerShell commands. Initial variants used cleartext commands downloading batch scripts to deploy DeerStealer InfoStealer. The campaign advanced to fileless execution using XOR encryption or Base64 compression, operating entirely in memory. The most dangerous evolution involves server-side polymorphism, where attacker infrastructure dynamically generates unique obfuscated payloads for each victim, delivering Vidar InfoStealer. Active since March 2026 with surging activity through May, the campaign utilizes approximately 4,500 live domains. Both XOR and Base64 variants execute payloads in memory, download executables from attacker infrastructure, and delete traces to evade forensics.", "modified": "2026-05-21T16:10:15.685000", "created": "2026-05-20T11:12:22.964000", "tags": [ "ClickFix", "server-side polymorphism", "fake CAPTCHA", "PowerShell", "DeerStealer", "Vidar", "InfoStealer", "fileless execution", "XOR encryption", "Base64 obfuscation" ], "references": [ "https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DeerStealer", "display_name": "DeerStealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 3563, "IPv4": 3, "hostname": 936 }, "indicator_count": 4502, "is_author": false, "is_subscribing": null, "subscriber_count": 386460, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1af098a2420fb88e554e7c", "name": "Payload_Delivery | May 31, 2026", "description": "Payload_Delivery indicators. Date: May 31, 2026. Total: 1296 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-30T14:13:44.763000", "created": "2026-05-30T14:13:44.763000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 826, "domain": 201, "URL": 191, "FileHash-SHA256": 42, "FileHash-SHA1": 2 }, "indicator_count": 1262, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "9 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a199f107d72e6c240c88056", "name": "Payload_Delivery | May 30, 2026", "description": "Payload_Delivery indicators. Date: May 30, 2026. Total: 1238 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-29T14:13:36.695000", "created": "2026-05-29T14:13:36.695000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 760, "URL": 194, "FileHash-SHA256": 42, "domain": 206, "FileHash-SHA1": 2 }, "indicator_count": 1204, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a184e431e46597d0217d91c", "name": "Payload_Delivery | May 29, 2026", "description": "Payload_Delivery indicators. Date: May 29, 2026. Total: 1194 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-28T14:16:35.836000", "created": "2026-05-28T14:16:35.836000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 648, "domain": 243, "URL": 208, "FileHash-SHA256": 62, "FileHash-SHA1": 2 }, "indicator_count": 1163, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16fc15cadf9309436a626a", "name": "Payload_Delivery | May 28, 2026", "description": "Payload_Delivery indicators. Date: May 28, 2026. Total: 1111 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-27T14:13:41.458000", "created": "2026-05-27T14:13:41.458000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 567, "domain": 275, "URL": 174, "FileHash-SHA256": 61, "FileHash-SHA1": 2 }, "indicator_count": 1079, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a15aa9102ebff362ef66326", "name": "Payload_Delivery | May 27, 2026", "description": "Payload_Delivery indicators. Date: May 27, 2026. Total: 1055 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-26T14:13:37.240000", "created": "2026-05-26T14:13:37.240000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 468, "URL": 181, "domain": 308, "FileHash-SHA256": 57, "FileHash-SHA1": 3 }, "indicator_count": 1017, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a145900f5080825046806c0", "name": "Payload_Delivery | May 26, 2026", "description": "Payload_Delivery indicators. Date: May 26, 2026. Total: 972 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-25T14:13:20.864000", "created": "2026-05-25T14:13:20.864000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 369, "domain": 352, "URL": 154, "FileHash-SHA1": 3, "FileHash-SHA256": 61 }, "indicator_count": 939, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1380b2ee83fa05ff58af68", "name": "tfhncf", "description": "", "modified": "2026-05-24T22:50:26.957000", "created": "2026-05-24T22:50:26.957000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 860, "IPv4": 4337, "domain": 286, "hostname": 128 }, "indicator_count": 5720, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1380b0d71dca32f9214caa", "name": "tfhncf", "description": "", "modified": "2026-05-24T22:50:24.500000", "created": "2026-05-24T22:50:24.500000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 860, "IPv4": 4337, "domain": 286, "hostname": 128 }, "indicator_count": 5720, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13806aa3ce0afa6ce805a3", "name": "SERHFGB", "description": "", "modified": "2026-05-24T22:49:14.004000", "created": "2026-05-24T22:49:14.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 865, "IPv4": 5793, "domain": 286, "hostname": 128 }, "indicator_count": 7182, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13806762755fa47d3276ee", "name": "SERHFGB", "description": "", "modified": "2026-05-24T22:49:11.586000", "created": "2026-05-24T22:49:11.586000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 865, "IPv4": 5793, "domain": 286, "hostname": 128 }, "indicator_count": 7182, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13800eba91800fe4e80284", "name": "cygujctgyj", "description": "Twenty-five years ago, the world was a small country, but it has now become a huge part of the global economy, and the UK has become the largest country in Europe to have its share of", "modified": "2026-05-24T22:47:42.665000", "created": "2026-05-24T22:47:42.665000", "tags": [ "sakura http", "clientsetup" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 859, "IPv4": 4190, "domain": 286, "hostname": 128 }, "indicator_count": 5572, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a130d64d6b88e2c6d025546", "name": "mohammedrizwandddddddd", "description": "", "modified": "2026-05-24T14:38:28.800000", "created": "2026-05-24T14:38:28.800000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 862, "IPv4": 4338, "domain": 286, "hostname": 129 }, "indicator_count": 5724, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12a215bd176163aa2b5bcc", "name": "The Evolution of ClickFix: From Cleartext to Server Side Polymorphism", "description": "", "modified": "2026-05-24T07:00:37.704000", "created": "2026-05-24T07:00:37.704000", "tags": [ "ClickFix", "server-side polymorphism", "fake CAPTCHA", "PowerShell", "DeerStealer", "Vidar", "InfoStealer", "fileless execution", "XOR encryption", "Base64 obfuscation" ], "references": [ "https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DeerStealer", "display_name": "DeerStealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": "6a1283eeea5b0c771537ec61", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3563, "IPv4": 3, "hostname": 936 }, "indicator_count": 4502, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1283eeea5b0c771537ec61", "name": "The Evolution of ClickFix: From Cleartext to Server Side Polymorphism", "description": "", "modified": "2026-05-24T04:51:58.732000", "created": "2026-05-24T04:51:58.732000", "tags": [ "ClickFix", "server-side polymorphism", "fake CAPTCHA", "PowerShell", "DeerStealer", "Vidar", "InfoStealer", "fileless execution", "XOR encryption", "Base64 obfuscation" ], "references": [ "https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DeerStealer", "display_name": "DeerStealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": "6a0d971608b49dfc89267777", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3563, "IPv4": 3, "hostname": 936 }, "indicator_count": 4502, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism", "https://ltna.com.au/cyber" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Vidar", "Deerstealer" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Vidar", "Deerstealer" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6a0d971608b49dfc89267777", "name": "The Evolution of ClickFix: From Cleartext to Server Side Polymorphism", "description": "The ClickFix campaign has evolved from basic disk-based infections to sophisticated, obfuscated attacks using fake CAPTCHA pages that trick victims into executing malicious PowerShell commands. Initial variants used cleartext commands downloading batch scripts to deploy DeerStealer InfoStealer. The campaign advanced to fileless execution using XOR encryption or Base64 compression, operating entirely in memory. The most dangerous evolution involves server-side polymorphism, where attacker infrastructure dynamically generates unique obfuscated payloads for each victim, delivering Vidar InfoStealer. Active since March 2026 with surging activity through May, the campaign utilizes approximately 4,500 live domains. Both XOR and Base64 variants execute payloads in memory, download executables from attacker infrastructure, and delete traces to evade forensics.", "modified": "2026-05-21T16:10:15.685000", "created": "2026-05-20T11:12:22.964000", "tags": [ "ClickFix", "server-side polymorphism", "fake CAPTCHA", "PowerShell", "DeerStealer", "Vidar", "InfoStealer", "fileless execution", "XOR encryption", "Base64 obfuscation" ], "references": [ "https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DeerStealer", "display_name": "DeerStealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 3563, "IPv4": 3, "hostname": 936 }, "indicator_count": 4502, "is_author": false, "is_subscribing": null, "subscriber_count": 386460, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1af098a2420fb88e554e7c", "name": "Payload_Delivery | May 31, 2026", "description": "Payload_Delivery indicators. Date: May 31, 2026. Total: 1296 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-30T14:13:44.763000", "created": "2026-05-30T14:13:44.763000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 826, "domain": 201, "URL": 191, "FileHash-SHA256": 42, "FileHash-SHA1": 2 }, "indicator_count": 1262, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "9 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a199f107d72e6c240c88056", "name": "Payload_Delivery | May 30, 2026", "description": "Payload_Delivery indicators. Date: May 30, 2026. Total: 1238 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-29T14:13:36.695000", "created": "2026-05-29T14:13:36.695000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 760, "URL": 194, "FileHash-SHA256": 42, "domain": 206, "FileHash-SHA1": 2 }, "indicator_count": 1204, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a184e431e46597d0217d91c", "name": "Payload_Delivery | May 29, 2026", "description": "Payload_Delivery indicators. Date: May 29, 2026. Total: 1194 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-28T14:16:35.836000", "created": "2026-05-28T14:16:35.836000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 648, "domain": 243, "URL": 208, "FileHash-SHA256": 62, "FileHash-SHA1": 2 }, "indicator_count": 1163, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a16fc15cadf9309436a626a", "name": "Payload_Delivery | May 28, 2026", "description": "Payload_Delivery indicators. Date: May 28, 2026. Total: 1111 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-27T14:13:41.458000", "created": "2026-05-27T14:13:41.458000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 567, "domain": 275, "URL": 174, "FileHash-SHA256": 61, "FileHash-SHA1": 2 }, "indicator_count": 1079, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a15aa9102ebff362ef66326", "name": "Payload_Delivery | May 27, 2026", "description": "Payload_Delivery indicators. Date: May 27, 2026. Total: 1055 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-26T14:13:37.240000", "created": "2026-05-26T14:13:37.240000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 468, "URL": 181, "domain": 308, "FileHash-SHA256": 57, "FileHash-SHA1": 3 }, "indicator_count": 1017, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a145900f5080825046806c0", "name": "Payload_Delivery | May 26, 2026", "description": "Payload_Delivery indicators. Date: May 26, 2026. Total: 972 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-25T14:13:20.864000", "created": "2026-05-25T14:13:20.864000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 369, "domain": 352, "URL": 154, "FileHash-SHA1": 3, "FileHash-SHA256": 61 }, "indicator_count": 939, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1380b2ee83fa05ff58af68", "name": "tfhncf", "description": "", "modified": "2026-05-24T22:50:26.957000", "created": "2026-05-24T22:50:26.957000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 860, "IPv4": 4337, "domain": 286, "hostname": 128 }, "indicator_count": 5720, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1380b0d71dca32f9214caa", "name": "tfhncf", "description": "", "modified": "2026-05-24T22:50:24.500000", "created": "2026-05-24T22:50:24.500000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 860, "IPv4": 4337, "domain": 286, "hostname": 128 }, "indicator_count": 5720, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13806aa3ce0afa6ce805a3", "name": "SERHFGB", "description": "", "modified": "2026-05-24T22:49:14.004000", "created": "2026-05-24T22:49:14.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 865, "IPv4": 5793, "domain": 286, "hostname": 128 }, "indicator_count": 7182, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cookingrt.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cookingrt.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780185149.3474803 }