{ "type": "Domain", "indicator": "corezea.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/corezea.com", "alexa": "http://www.alexa.com/siteinfo/corezea.com", "indicator": "corezea.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4153679019, "indicator": "corezea.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6924c9a94b1c7374cf444b82", "name": "ClickFix Gets Creative: Malware Buried in Images", "description": "A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a standard 'Human Verification' and a convincing fake Windows Update screen. The execution chain involves mshta.exe, PowerShell, and .NET assemblies, ultimately extracting and injecting shellcode into target processes. The steganographic technique encodes malicious data directly into image pixel data, using specific color channels for payload reconstruction and decryption in memory. This sophisticated approach helps evade signature-based detection and complicates analysis.", "modified": "2025-12-24T21:03:40.540000", "created": "2025-11-24T21:10:01.793000", "tags": [ "multi-stage", "social engineering", "steganography", "infostealer", "rhadamanthys", "lummac2", "clickfix", "windows update" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LummaC2", "display_name": "LummaC2", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.002", "name": "Right-to-Left Override", "display_name": "T1036.002 - Right-to-Left Override" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 9, "domain": 20 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 386515, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69297c21a7a29bc6ac28041d", "name": "ClickFix Gets Creative: Malware Buried in Images | Huntress", "description": "Find out more about the Huntress products and services on the Microsoft Marketplace and on our site for free and unlimited access to all the latest technology and resources. and information on how to use them.", "modified": "2025-12-28T10:01:42.641000", "created": "2025-11-28T10:40:33.411000", "tags": [ "windows update", "clickfix lure", "huntress", "powershell", "windows run", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Update Lure", "display_name": "Update Lure", "target": null }, { "id": "Windows Update", "display_name": "Windows Update", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Nexus Threat", "display_name": "Nexus Threat", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 17, "domain": 22, "hostname": 7 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "154 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6927299bb5c998cd84b796b1", "name": "ppppppppppp", "description": "The following is the full text of this article, which has been published by the University of Oxford, UK, as part of the 2016/17 academic year.. and the subject is subject to debate", "modified": "2025-12-26T16:02:47.985000", "created": "2025-11-26T16:23:55.743000", "tags": [ "url http", "hashsha256", "domain", "url hxxtp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19, "FileHash-MD5": 49, "FileHash-SHA1": 49, "FileHash-SHA256": 49, "domain": 18 }, "indicator_count": 184, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "155 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69258ec9f2e8abc71efb55e6", "name": "Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware", "description": "New wave of clickFix attacks is identified to abuse highly realistic fake Windows\n Update screens and PNG image steganography to secretly deploy info stealing\n malware.", "modified": "2025-12-25T11:00:36.098000", "created": "2025-11-25T11:11:05.181000", "tags": [], "references": [ "November 25th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8637 - Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19, "domain": 23 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6925468fbc639f2b2ae4afa9", "name": "IOC - ClickFix Gets Creative: Malware Buried in Images", "description": "This analysis details a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 and Rhadamanthys. A notable discovery during analysis was the campaign's use of steganography to conceal the final malware stages within an image. Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory.", "modified": "2025-12-25T06:01:37.590000", "created": "2025-11-25T06:02:55.071000", "tags": [ "stage", "urls", "clickfix lure", "windows update", "lure indicators", "cluster", "clickfix robot", "lure", "lummac2" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 22 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692514d8b7be86bae7057673", "name": "ClickFix Malware Evolves With Steganographic Image-Based Delivery", "description": "Huntress is a managed security platform designed to protect organisations from cyber-attacks, writes Ben Folland and Anna Pham, who worked with the company's parent company, Microsoft, to develop its security solutions.", "modified": "2025-12-25T02:04:22.852000", "created": "2025-11-25T02:30:48.788000", "tags": [ "windows update", "clickfix lure", "huntress", "powershell", "windows run", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Update Lure", "display_name": "Update Lure", "target": null }, { "id": "Windows Update", "display_name": "Windows Update", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Nexus Threat", "display_name": "Nexus Threat", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 16, "domain": 22 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6924cddd2c084e5cafc84277", "name": "ClickFix Gets Creative: Malware Buried in Images", "description": "The analysis highlights a sophisticated malware campaign utilizing ClickFix lures to execute multi-stage malware delivery, ultimately leading to the deployment of infostealing malware such as LummaC2 and Rhadamanthys. A prominent aspect of this campaign is the innovative use of steganography to hide malicious payloads within image files, specifically PNGs, where malicious code is embedded directly in the pixel data. This technique enhances concealment, as the payload is reconstructed and decrypted in memory using specific color channels.", "modified": "2025-12-24T21:03:40.540000", "created": "2025-11-24T21:27:57.190000", "tags": [ "clickfix lure", "huntress", "powershell", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat", "stage", "urls", "clickfix robot", "lure", "lure indicators" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 16, "domain": 22 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book1.csv", "November 25th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8637 - Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware.pdf", "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Lummac2", "Rhadamanthys" ], "industries": [] }, "other": { "adversary": [ "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face" ], "malware_families": [ "Rhadamanthys", "Nexus threat", "Qilin", "Update lure", "Huntress", "Windows update" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6924c9a94b1c7374cf444b82", "name": "ClickFix Gets Creative: Malware Buried in Images", "description": "A multi-stage malware execution chain originating from a ClickFix lure has been discovered, leading to the delivery of infostealing malware like LummaC2 and Rhadamanthys. The campaign utilizes steganography to hide malicious code within PNG images. Two distinct ClickFix lures were observed: a standard 'Human Verification' and a convincing fake Windows Update screen. The execution chain involves mshta.exe, PowerShell, and .NET assemblies, ultimately extracting and injecting shellcode into target processes. The steganographic technique encodes malicious data directly into image pixel data, using specific color channels for payload reconstruction and decryption in memory. This sophisticated approach helps evade signature-based detection and complicates analysis.", "modified": "2025-12-24T21:03:40.540000", "created": "2025-11-24T21:10:01.793000", "tags": [ "multi-stage", "social engineering", "steganography", "infostealer", "rhadamanthys", "lummac2", "clickfix", "windows update" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LummaC2", "display_name": "LummaC2", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.002", "name": "Right-to-Left Override", "display_name": "T1036.002 - Right-to-Left Override" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 9, "domain": 20 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 386515, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69297c21a7a29bc6ac28041d", "name": "ClickFix Gets Creative: Malware Buried in Images | Huntress", "description": "Find out more about the Huntress products and services on the Microsoft Marketplace and on our site for free and unlimited access to all the latest technology and resources. and information on how to use them.", "modified": "2025-12-28T10:01:42.641000", "created": "2025-11-28T10:40:33.411000", "tags": [ "windows update", "clickfix lure", "huntress", "powershell", "windows run", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Update Lure", "display_name": "Update Lure", "target": null }, { "id": "Windows Update", "display_name": "Windows Update", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Nexus Threat", "display_name": "Nexus Threat", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 17, "domain": 22, "hostname": 7 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "154 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6927299bb5c998cd84b796b1", "name": "ppppppppppp", "description": "The following is the full text of this article, which has been published by the University of Oxford, UK, as part of the 2016/17 academic year.. and the subject is subject to debate", "modified": "2025-12-26T16:02:47.985000", "created": "2025-11-26T16:23:55.743000", "tags": [ "url http", "hashsha256", "domain", "url hxxtp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19, "FileHash-MD5": 49, "FileHash-SHA1": 49, "FileHash-SHA256": 49, "domain": 18 }, "indicator_count": 184, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "155 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69258ec9f2e8abc71efb55e6", "name": "Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware", "description": "New wave of clickFix attacks is identified to abuse highly realistic fake Windows\n Update screens and PNG image steganography to secretly deploy info stealing\n malware.", "modified": "2025-12-25T11:00:36.098000", "created": "2025-11-25T11:11:05.181000", "tags": [], "references": [ "November 25th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8637 - Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19, "domain": 23 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6925468fbc639f2b2ae4afa9", "name": "IOC - ClickFix Gets Creative: Malware Buried in Images", "description": "This analysis details a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 and Rhadamanthys. A notable discovery during analysis was the campaign's use of steganography to conceal the final malware stages within an image. Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory.", "modified": "2025-12-25T06:01:37.590000", "created": "2025-11-25T06:02:55.071000", "tags": [ "stage", "urls", "clickfix lure", "windows update", "lure indicators", "cluster", "clickfix robot", "lure", "lummac2" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 22 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692514d8b7be86bae7057673", "name": "ClickFix Malware Evolves With Steganographic Image-Based Delivery", "description": "Huntress is a managed security platform designed to protect organisations from cyber-attacks, writes Ben Folland and Anna Pham, who worked with the company's parent company, Microsoft, to develop its security solutions.", "modified": "2025-12-25T02:04:22.852000", "created": "2025-11-25T02:30:48.788000", "tags": [ "windows update", "clickfix lure", "huntress", "powershell", "windows run", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Update Lure", "display_name": "Update Lure", "target": null }, { "id": "Windows Update", "display_name": "Windows Update", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Nexus Threat", "display_name": "Nexus Threat", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 16, "domain": 22 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6924cddd2c084e5cafc84277", "name": "ClickFix Gets Creative: Malware Buried in Images", "description": "The analysis highlights a sophisticated malware campaign utilizing ClickFix lures to execute multi-stage malware delivery, ultimately leading to the deployment of infostealing malware such as LummaC2 and Rhadamanthys. A prominent aspect of this campaign is the innovative use of steganography to hide malicious payloads within image files, specifically PNGs, where malicious code is embedded directly in the pixel data. This technique enhances concealment, as the payload is reconstructed and decrypted in memory using specific color channels.", "modified": "2025-12-24T21:03:40.540000", "created": "2025-11-24T21:27:57.190000", "tags": [ "clickfix lure", "huntress", "powershell", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat", "stage", "urls", "clickfix robot", "lure", "lure indicators" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 16, "domain": 22 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "corezea.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "corezea.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780226138.2314205 }