{ "type": "URL", "indicator": "https://authone-drive.online/client.bat\\'", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://authone-drive.online/client.bat\\'", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4348864671, "indicator": "https://authone-drive.online/client.bat\\'", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "69fdcc566b7e3b2391cfe7c5", "name": "ClickFix: YARA Rules Catch What AV Misses", "description": "The ClickFix cyber threat has emerged as a significant attack vector during 2024 and 2025, characterized by its exploitation of social engineering rather than software vulnerabilities. In this attack, victims are directed to fraudulent websites that pose as CAPTCHA or document verification pages. They are instructed to open the Run dialog in Windows and paste a command that the website has generated and copied to their clipboard. This command typically runs a malicious PowerShell script directly in memory, thus evading traditional security measures by operating without touching the disk in a detectable manner.", "modified": "2026-05-08T11:43:18.779000", "created": "2026-05-08T11:43:18.779000", "tags": [ "clickfix", "yara rule", "powershell", "html source", "captcha page", "run dialog", "yara", "urls", "march", "html", "bypass", "verify", "utf-16 base64" ], "references": [ "https://www.reversinglabs.com/blog/clickfix-yara-rule" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "YARA": 1, "domain": 2 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.reversinglabs.com/blog/clickfix-yara-rule" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Clickfix" ], "industries": [], "unique_indicators": 7 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/authone-drive.online", "whois": "http://whois.domaintools.com/authone-drive.online", "domain": "authone-drive.online", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "69fdcc566b7e3b2391cfe7c5", "name": "ClickFix: YARA Rules Catch What AV Misses", "description": "The ClickFix cyber threat has emerged as a significant attack vector during 2024 and 2025, characterized by its exploitation of social engineering rather than software vulnerabilities. In this attack, victims are directed to fraudulent websites that pose as CAPTCHA or document verification pages. They are instructed to open the Run dialog in Windows and paste a command that the website has generated and copied to their clipboard. This command typically runs a malicious PowerShell script directly in memory, thus evading traditional security measures by operating without touching the disk in a detectable manner.", "modified": "2026-05-08T11:43:18.779000", "created": "2026-05-08T11:43:18.779000", "tags": [ "clickfix", "yara rule", "powershell", "html source", "captcha page", "run dialog", "yara", "urls", "march", "html", "bypass", "verify", "utf-16 base64" ], "references": [ "https://www.reversinglabs.com/blog/clickfix-yara-rule" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "YARA": 1, "domain": 2 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://authone-drive.online/client.bat\\'", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://authone-drive.online/client.bat\\'", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780333117.992417 }