{ "type": "Domain", "indicator": "mhousecreative.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mhousecreative.com", "alexa": "http://www.alexa.com/siteinfo/mhousecreative.com", "indicator": "mhousecreative.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4072965342, "indicator": "mhousecreative.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "686ffe0f30bfbdfa037e4168", "name": "Fix the Click: Preventing the ClickFix Attack Vector", "description": "This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetSupport RAT, Latrodectus, and Lumma Stealer. ClickFix lures often use clipboard hijacking and can bypass standard detection controls. The article provides case studies of recent campaigns, hunting tips for detecting ClickFix infections, and recommendations for proactive defense measures. It emphasizes the importance of user education and implementing robust security controls to mitigate this evolving threat.", "modified": "2025-08-09T17:01:56.158000", "created": "2025-07-10T17:53:19.658000", "tags": [ "latrodectus", "typosquatting", "powershell", "clipboard hijacking", "autoit", "social engineering", "clickfix", "rat", "infostealer", "netsupport rat", "lumma stealer" ], "references": [ "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "High technology", "Financial services", "Manufacturing", "Wholesale and retail", "Government", "Professional and legal services", "Energy", "Healthcare", "Telecommunications", "Automotive" ], "TLP": "white", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 8, "FileHash-SHA256": 21, "domain": 39, "hostname": 5 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 386906, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684209ff0c889eabbed70e8b", "name": "How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme", "description": "A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses clipboard poisoning and fake CAPTCHAs to deliver the malware. The campaign involves multiple domains, uses ROT13 encoding, and creates persistent infections. Similar techniques were observed in other spoofed content, including Okta and popular media apps. The attack capitalizes on user familiarity with common online interactions, emphasizing the need for vigilance and skepticism in online activities.", "modified": "2025-07-05T21:03:20.611000", "created": "2025-06-05T21:19:59.635000", "tags": [ "netsupport rat", "clipboard poisoning", "gitcodes", "social engineering" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 49 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 386906, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e6340d653ae51a1075feb9", "name": "Castle Loader Malware", "description": "CastleLoader is a sophisticated malware loader that operates as a first-stage infection\nvector in a multi-tiered infrastructure. Developed by threat actor TAG-150, this malware\nhas demonstrated rapid evolution and technical sophistication since its emergence in early\n2025. CastleLoader uses Cloudflare-themed ClickFix phishing and fake GitHub\nrepositories as its primary distribution methods, with a remarkably high infection rate\nof 28.7%.", "modified": "2025-11-07T09:02:34.275000", "created": "2025-10-08T09:51:08.650000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CastleLoader", "display_name": "CastleLoader", "target": null } ], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Finance", "Energy", "Global" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gembelll123", "id": "314072", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 17, "hostname": 3 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bff3e33540d09bd27e7c8c", "name": "EbeeSep2025 Pt2", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-09T09:31:15.081000", "tags": [], "references": [ "Sep week2.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 165, "FileHash-SHA256": 382, "domain": 75, "hostname": 17, "FilePath": 4, "URL": 17 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68be44aa19b22417f7fa1f2e", "name": "IOC - From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure", "description": "Insikt Group has identified a new threat actor, TAG-150, active since at least March 2025, characterized by rapid development, technical sophistication, responsiveness to public reporting, and a large, evolving infrastructure. The infrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and domains used as command-and-control (C2) servers for multiple malware families, and higher-tier infrastructure composed of multiple layers. Since emerging in March 2025, TAG-150 has deployed multiple likely self-developed malware families, starting with CastleLoader and CastleBot, and most recently CastleRAT, a remote access trojan documented here for the first time. Additionally, Insikt Group has identified multiple services likely leveraged by TAG-150, including file-sharing platforms, anti-detection services, and others.", "modified": "2025-10-08T02:04:08.021000", "created": "2025-09-08T02:51:22.530000", "tags": [ "sha256", "as62904", "corporation", "warmcookie c2", "ip address", "castleloader c2", "samples", "variant samples", "seen", "as214351", "future", "python" ], "references": [ "https://www.theregister.com/2025/09/05/clickfix_castlerat_malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 50, "URL": 1, "domain": 16, "hostname": 2 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689dbd6fc683062764f4f07c", "name": "EbeeAugust2025 Pt2", "description": "", "modified": "2025-10-02T13:04:51.166000", "created": "2025-08-14T10:41:51.150000", "tags": [], "references": [ "Aug-Week2.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 476, "FileHash-SHA1": 551, "FileHash-SHA256": 521, "URL": 92, "domain": 216, "email": 2, "hostname": 68 }, "indicator_count": 1926, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c428aa8f8368058224d48d", "name": "TAG-150\u2019s CastleRAT Emerges: Advanced Stealth and Persistence Tactics", "description": "", "modified": "2025-09-12T14:05:30.735000", "created": "2025-09-12T14:05:30.735000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 48, "FileHash-SHA1": 48, "FileHash-SHA256": 48, "domain": 12, "hostname": 1 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "263 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c4289a71de45a237b2dd90", "name": "TAG-150\u2019s CastleRAT Emerges: Advanced Stealth and Persistence Tactics", "description": "", "modified": "2025-09-12T14:05:14.514000", "created": "2025-09-12T14:05:14.514000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 48, "FileHash-SHA1": 48, "FileHash-SHA256": 48, "domain": 12, "hostname": 1 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "263 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689a09a3da96cb0bfecff59c", "name": "New Malware Loader Delivers Multiple Payloads", "description": "", "modified": "2025-09-10T15:02:05.145000", "created": "2025-08-11T15:17:55.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "URL": 11, "domain": 1, "hostname": 1 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6898f8c352786654ddc4495d", "name": "Dissecting the CastleBot Malware-as-a-Service operation.", "description": "CastleBot is a Malware-as-a-Service operation that surfaced in early 2025 and has since expanded to deploy a range of payloads, from infostealers to backdoors such as NetSupport and WarmCookie. The operation is modular, with three components (stager, loader, and core) and appears to be under active development. Its infection surface is dominated by trojanized software delivered via fake websites with SEO poisoning, GitHub repositories impersonating legitimate software, and methods like the ClickFix technique.", "modified": "2025-09-09T19:06:32.747000", "created": "2025-08-10T19:53:39.994000", "tags": [ "malware as a service", "ibm x-force premier threat intelligence", "cybersecurity", "ibm x-force threat intelligence", "cyberattacks", "castlebot", "c2 server", "shellexecutew", "url via", "url castlebot", "castlebot core", "false", "july", "ibm xforce", "netsupport", "warmcookie", "xforce", "june", "sectoprat", "hijackloader", "august", "config", "loader", "sandbox", "rhadamanthys", "remcos", "connector", "protect", "sha256 crypted", "url http", "indicator type", "context http", "loader download", "url netsupport", "zip payload" ], "references": [ "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 23, "URL": 17, "domain": 1, "hostname": 1 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68862a0bfcc09e2e43f551ee", "name": "CastleLoader Malware Uses Phishing and Fake CAPTCHA to Deliver Stealers and RATs", "description": "CastleLoader, a newly identified loader malware has rapidly evolved into a\ndelivery platform for information stealers and RATs.", "modified": "2025-08-26T13:03:09.748000", "created": "2025-07-27T13:30:51.073000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 48, "domain": 13 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6870b3d3573b3824d7169a2c", "name": "TTP - Fix the Click Preventing the ClickFix Attack Vector", "description": "\u672c\u6587\u5206\u6790\u4e86\u4e00\u79cd\u540d\u4e3a\u201cClickFix\u201d\u7684\u65b0\u578b\u793e\u4ea4\u5de5\u7a0b\u653b\u51fb\u6280\u672f\u3002\u653b\u51fb\u8005\u901a\u8fc7\u8bf1\u5bfc\u7528\u6237\u5728\u201c\u8fd0\u884c\u201d\uff08Win+R\uff09\u6216\u201c\u7ec8\u7aef\u201d\uff08Win+X\uff09\u4e2d\u7c98\u8d34\u548c\u6267\u884c\u6076\u610f\u547d\u4ee4\uff0c\u5b9e\u73b0\u8fdc\u7a0b\u8bbf\u95ee\u6728\u9a6c\uff08\u5982NetSupport RAT\uff09\u3001\u4fe1\u606f\u7a83\u53d6\u5668\uff08\u5982Lumma Stealer\uff09\u6216\u52a0\u8f7d\u5668\uff08\u5982Latrodectus\uff09\u7684\u90e8\u7f72\u3002\u8fd9\u4e9b\u653b\u51fb\u88ab\u5e7f\u6cdb\u7528\u4e8e\u591a\u4e2a\u884c\u4e1a\uff0c\u5305\u62ec\u80fd\u6e90\u3001\u91d1\u878d\u3001\u5236\u9020\u3001\u96f6\u552e\u548c\u653f\u5e9c\u673a\u6784\u3002ClickFix\u653b\u51fb\u56e0\u7ed5\u8fc7\u5e38\u89c4\u5b89\u5168\u68c0\u6d4b\u624b\u6bb5\u800c\u66f4\u5177\u9690\u853d\u6027\uff0c\u5df2\u6210\u4e3a2025\u5e74\u4e0a\u534a\u5e74\u5e38\u89c1\u7684\u5165\u4fb5\u8def\u5f84\u4e4b\u4e00\u3002\u672c\u6587\u63d0\u4f9b\u4e86\u591a\u4e2a\u771f\u5b9e\u6848\u4f8b\u3001\u68c0\u6d4b\u5efa\u8bae\u53ca\u72e9\u730e\u7b56\u7565\uff0c\u4ee5\u5e2e\u52a9\u7ec4\u7ec7\u8bc6\u522b\u548c\u9632\u5fa1\u6b64\u7c7b\u653b\u51fb\u3002", "modified": "2025-08-09T17:01:56.158000", "created": "2025-07-11T06:48:51.994000", "tags": [ "latrodectus", "typosquatting", "powershell", "clipboard hijacking", "autoit", "social engineering", "clickfix", "rat", "infostealer", "netsupport rat", "lumma stealer" ], "references": [ "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "High technology", "Financial services", "Manufacturing", "Wholesale and retail", "Government", "Professional and legal services", "Energy", "Healthcare", "Telecommunications", "Automotive" ], "TLP": "white", "cloned_from": "686ffe0f30bfbdfa037e4168", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 9, "FileHash-SHA256": 22, "domain": 39, "hostname": 5 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686fa34dcaa69e8d8d0cdc42", "name": "Fix the Click: Preventing the ClickFix Attack Vector", "description": "", "modified": "2025-08-09T11:01:24.832000", "created": "2025-07-10T11:26:05.466000", "tags": [ "clickfix", "lumma stealer", "netsupport rat", "latrodectus", "unit", "zip archive", "slovenia", "palo alto", "clickfix lure", "run window", "clearfake", "powershell", "alliance", "example", "trojan", "malware", "rats", "installer", "april", "autoit", "stealer", "havoc", "loader", "lampion", "back", "shadow", "evolution" ], "references": [ "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 3, "FileHash-SHA256": 12, "URL": 1, "domain": 21, "hostname": 3 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842a77c3ea4d693b401514a", "name": "How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme", "description": "This report details a malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines. Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport RAT (remote access trojan).", "modified": "2025-07-06T08:01:54.732000", "created": "2025-06-06T08:31:56.660000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68424677819a88aa8f56d9f3", "name": "IOC - How Threat Actors Exploit Human Trust", "description": "", "modified": "2025-07-05T21:03:20.611000", "created": "2025-06-06T01:37:59.581000", "tags": [ "netsupport rat", "clipboard poisoning", "gitcodes", "captcha", "social engineering", "CAPTCHA" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "684209ff0c889eabbed70e8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 49 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6841edc5bd14ff20dc36b897", "name": "Malicious Scripts Delivered via Fake Gitcode and Docusign Pages", "description": "A new cyber campaign is using fake websites impersonating Gitcode and DocuSign to trick users into running malicious PowerShell scripts, ultimately infecting systems with NetSupport RAT malware. Researchers found that these deceptive sites prompt victims to copy and execute PowerShell commands, which then download additional scripts from external servers.", "modified": "2025-07-05T19:02:44.113000", "created": "2025-06-05T19:19:33.963000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6841dff7a8343f18920cb8f5", "name": "How Threat Actors Exploit Human Trust", "description": "A malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines\nhttps://dti.domaintools.com/how-threat-actors-exploit-human-trust/\nhttps://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv", "modified": "2025-07-05T18:00:21.599000", "created": "2025-06-05T18:20:39.780000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "NetSupportRAT", "Gitcodes", "Docusign", "Clipboard Poisoning" ], "references": [ "Prove You Are Human.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupportManager RAT", "display_name": "NetSupportManager RAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6841a64b9407cc16e72ebedb", "name": "Exploiting Human Trust: Tactics Used by Threat Actors.", "description": "A detailed analysis from DomainTools reveals how threat actors manipulate human trust to conduct phishing, social engineering, and credential theft campaigns. The report highlights common tactics, such as impersonation and domain spoofing, along with actionable IOCs and defensive strategies to mitigate these risks.", "modified": "2025-07-05T14:03:02.187000", "created": "2025-06-05T14:14:34.655000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684059cb2e895a12159bf66e", "name": "How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme", "description": "This report details a malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines. Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport RAT (remote access trojan).", "modified": "2025-07-04T14:02:16.965000", "created": "2025-06-04T14:35:55.463000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [ "Table 1 IOC,IOC Type 0xpaste[.]com,IOC Domain aitradingview[.]app,IOC Domain aitradingview[.]dev,IOC Domain batalia-dansului[.]xyz,IOC Domain battalia-dansului[.]com,IOC Domain betamodetradingview[.]dev,IOC Domain betatradingview[.]app,IOC Domain betatradingview[.]dev,IOC Domain charts-beta[.]dev,IOC Domain codepaste[.]io,IOC Domain dans-lupta[.]xyz,IOC Domain dev-beta[.]com,IOC Domain devbetabeta[.]dev,IOC Domain devchart[.]ai,IOC Domain developer-ai[.]dev,IOC Domain developerbeta[.]dev,IOC Domain develope" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683faa1dd35a0d3e4ad9d227", "name": "A New Campaign Distributing NetSupport RAT via Malicious PowerShell Scripts", "description": "Hashes ( SHA-256) - here is the full list of key information:-1.0xpaste, 1.4m-2.5m.1m, 2.3m", "modified": "2025-07-04T02:01:59.787000", "created": "2025-06-04T02:06:21.508000", "tags": [ "hashes", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 54, "URL": 3, "hostname": 6 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv", "Sep week2.pdf", "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/", "Aug-Week2.pdf", "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation", "Prove You Are Human.csv", "Table 1 IOC,IOC Type 0xpaste[.]com,IOC Domain aitradingview[.]app,IOC Domain aitradingview[.]dev,IOC Domain batalia-dansului[.]xyz,IOC Domain battalia-dansului[.]com,IOC Domain betamodetradingview[.]dev,IOC Domain betatradingview[.]app,IOC Domain betatradingview[.]dev,IOC Domain charts-beta[.]dev,IOC Domain codepaste[.]io,IOC Domain dans-lupta[.]xyz,IOC Domain dev-beta[.]com,IOC Domain devbetabeta[.]dev,IOC Domain devchart[.]ai,IOC Domain developer-ai[.]dev,IOC Domain developerbeta[.]dev,IOC Domain develope", "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector", "https://www.theregister.com/2025/09/05/clickfix_castlerat_malware/", "https://dti.domaintools.com/how-threat-actors-exploit-human-trust/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Latrodectus", "Netsupport rat", "Lumma stealer" ], "industries": [ "Government", "Healthcare", "Telecommunications", "Automotive", "Wholesale and retail", "Energy", "Financial services", "High technology", "Manufacturing", "Professional and legal services" ] }, "other": { "adversary": [ "Multiple" ], "malware_families": [ "Latrodectus", "Netsupport rat", "Castleloader", "Netsupportmanager rat", "Lumma stealer" ], "industries": [ "Government", "Healthcare", "Finance", "Telecommunications", "Automotive", "Global", "Wholesale and retail", "Energy", "Financial services", "High technology", "Manufacturing", "Professional and legal services" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "686ffe0f30bfbdfa037e4168", "name": "Fix the Click: Preventing the ClickFix Attack Vector", "description": "This article discusses the rising threat of ClickFix, a social engineering technique used by threat actors to trick victims into executing malicious commands under the guise of quick fixes for computer issues. The technique has been observed in campaigns distributing various malware, including NetSupport RAT, Latrodectus, and Lumma Stealer. ClickFix lures often use clipboard hijacking and can bypass standard detection controls. The article provides case studies of recent campaigns, hunting tips for detecting ClickFix infections, and recommendations for proactive defense measures. It emphasizes the importance of user education and implementing robust security controls to mitigate this evolving threat.", "modified": "2025-08-09T17:01:56.158000", "created": "2025-07-10T17:53:19.658000", "tags": [ "latrodectus", "typosquatting", "powershell", "clipboard hijacking", "autoit", "social engineering", "clickfix", "rat", "infostealer", "netsupport rat", "lumma stealer" ], "references": [ "https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "High technology", "Financial services", "Manufacturing", "Wholesale and retail", "Government", "Professional and legal services", "Energy", "Healthcare", "Telecommunications", "Automotive" ], "TLP": "white", "cloned_from": null, "export_count": 70, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 8, "FileHash-SHA256": 21, "domain": 39, "hostname": 5 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 386906, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684209ff0c889eabbed70e8b", "name": "How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme", "description": "A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses clipboard poisoning and fake CAPTCHAs to deliver the malware. The campaign involves multiple domains, uses ROT13 encoding, and creates persistent infections. Similar techniques were observed in other spoofed content, including Okta and popular media apps. The attack capitalizes on user familiarity with common online interactions, emphasizing the need for vigilance and skepticism in online activities.", "modified": "2025-07-05T21:03:20.611000", "created": "2025-06-05T21:19:59.635000", "tags": [ "netsupport rat", "clipboard poisoning", "gitcodes", "social engineering" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 49 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 386906, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e6340d653ae51a1075feb9", "name": "Castle Loader Malware", "description": "CastleLoader is a sophisticated malware loader that operates as a first-stage infection\nvector in a multi-tiered infrastructure. Developed by threat actor TAG-150, this malware\nhas demonstrated rapid evolution and technical sophistication since its emergence in early\n2025. CastleLoader uses Cloudflare-themed ClickFix phishing and fake GitHub\nrepositories as its primary distribution methods, with a remarkably high infection rate\nof 28.7%.", "modified": "2025-11-07T09:02:34.275000", "created": "2025-10-08T09:51:08.650000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CastleLoader", "display_name": "CastleLoader", "target": null } ], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Finance", "Energy", "Global" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gembelll123", "id": "314072", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 17, "hostname": 3 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bff3e33540d09bd27e7c8c", "name": "EbeeSep2025 Pt2", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-09T09:31:15.081000", "tags": [], "references": [ "Sep week2.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 165, "FileHash-SHA256": 382, "domain": 75, "hostname": 17, "FilePath": 4, "URL": 17 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68be44aa19b22417f7fa1f2e", "name": "IOC - From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure", "description": "Insikt Group has identified a new threat actor, TAG-150, active since at least March 2025, characterized by rapid development, technical sophistication, responsiveness to public reporting, and a large, evolving infrastructure. The infrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and domains used as command-and-control (C2) servers for multiple malware families, and higher-tier infrastructure composed of multiple layers. Since emerging in March 2025, TAG-150 has deployed multiple likely self-developed malware families, starting with CastleLoader and CastleBot, and most recently CastleRAT, a remote access trojan documented here for the first time. Additionally, Insikt Group has identified multiple services likely leveraged by TAG-150, including file-sharing platforms, anti-detection services, and others.", "modified": "2025-10-08T02:04:08.021000", "created": "2025-09-08T02:51:22.530000", "tags": [ "sha256", "as62904", "corporation", "warmcookie c2", "ip address", "castleloader c2", "samples", "variant samples", "seen", "as214351", "future", "python" ], "references": [ "https://www.theregister.com/2025/09/05/clickfix_castlerat_malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 50, "URL": 1, "domain": 16, "hostname": 2 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689dbd6fc683062764f4f07c", "name": "EbeeAugust2025 Pt2", "description": "", "modified": "2025-10-02T13:04:51.166000", "created": "2025-08-14T10:41:51.150000", "tags": [], "references": [ "Aug-Week2.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 476, "FileHash-SHA1": 551, "FileHash-SHA256": 521, "URL": 92, "domain": 216, "email": 2, "hostname": 68 }, "indicator_count": 1926, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c428aa8f8368058224d48d", "name": "TAG-150\u2019s CastleRAT Emerges: Advanced Stealth and Persistence Tactics", "description": "", "modified": "2025-09-12T14:05:30.735000", "created": "2025-09-12T14:05:30.735000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 48, "FileHash-SHA1": 48, "FileHash-SHA256": 48, "domain": 12, "hostname": 1 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "263 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c4289a71de45a237b2dd90", "name": "TAG-150\u2019s CastleRAT Emerges: Advanced Stealth and Persistence Tactics", "description": "", "modified": "2025-09-12T14:05:14.514000", "created": "2025-09-12T14:05:14.514000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 48, "FileHash-SHA1": 48, "FileHash-SHA256": 48, "domain": 12, "hostname": 1 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "263 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689a09a3da96cb0bfecff59c", "name": "New Malware Loader Delivers Multiple Payloads", "description": "", "modified": "2025-09-10T15:02:05.145000", "created": "2025-08-11T15:17:55.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 18, "URL": 11, "domain": 1, "hostname": 1 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6898f8c352786654ddc4495d", "name": "Dissecting the CastleBot Malware-as-a-Service operation.", "description": "CastleBot is a Malware-as-a-Service operation that surfaced in early 2025 and has since expanded to deploy a range of payloads, from infostealers to backdoors such as NetSupport and WarmCookie. The operation is modular, with three components (stager, loader, and core) and appears to be under active development. Its infection surface is dominated by trojanized software delivered via fake websites with SEO poisoning, GitHub repositories impersonating legitimate software, and methods like the ClickFix technique.", "modified": "2025-09-09T19:06:32.747000", "created": "2025-08-10T19:53:39.994000", "tags": [ "malware as a service", "ibm x-force premier threat intelligence", "cybersecurity", "ibm x-force threat intelligence", "cyberattacks", "castlebot", "c2 server", "shellexecutew", "url via", "url castlebot", "castlebot core", "false", "july", "ibm xforce", "netsupport", "warmcookie", "xforce", "june", "sectoprat", "hijackloader", "august", "config", "loader", "sandbox", "rhadamanthys", "remcos", "connector", "protect", "sha256 crypted", "url http", "indicator type", "context http", "loader download", "url netsupport", "zip payload" ], "references": [ "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 23, "URL": 17, "domain": 1, "hostname": 1 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mhousecreative.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mhousecreative.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780412534.2176 }