{ "type": "Domain", "indicator": "scottvmorton.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/scottvmorton.com", "alexa": "http://www.alexa.com/siteinfo/scottvmorton.com", "indicator": "scottvmorton.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4190050816, "indicator": "scottvmorton.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "697c69b9af67a1f288275176", "name": "Meet IClickFix: a widespread framework using the ClickFix tactic", "description": "IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.", "modified": "2026-03-01T08:03:12.270000", "created": "2026-01-30T08:20:09.209000", "tags": [ "emmenhtal loader", "netsupport rat", "watering hole", "xfiles stealer", "social engineering", "clickfix", "wordpress", "javascript", "captcha" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ghana" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Emmenhtal Loader", "display_name": "Emmenhtal Loader", "target": null }, { "id": "XFiles Stealer", "display_name": "XFiles Stealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 74, "FileHash-MD5": 10, "FileHash-SHA1": 16, "FileHash-SHA256": 14, "URL": 13, "hostname": 4 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 387038, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69819eab7b692a1e4028d659", "name": "Meet IClickFix: a widespread framework using the ClickFix tactic", "description": "", "modified": "2026-03-01T08:03:12.270000", "created": "2026-02-03T07:07:23.413000", "tags": [ "emmenhtal loader", "netsupport rat", "watering hole", "xfiles stealer", "social engineering", "clickfix", "wordpress", "javascript", "captcha" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ghana" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Emmenhtal Loader", "display_name": "Emmenhtal Loader", "target": null }, { "id": "XFiles Stealer", "display_name": "XFiles Stealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "697c69b9af67a1f288275176", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 74, "FileHash-MD5": 10, "FileHash-SHA1": 16, "FileHash-SHA256": 14, "URL": 13, "hostname": 4 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c60b0bb54100596b6a5d7", "name": "Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic", "description": "In November 2025, threat analysts from Sekoia TDR discovered a malware distribution campaign targeting WordPress websites using a social engineering tactic known as ClickFix, facilitated through a Traffic Distribution System (TDS). This campaign primarily employed watering hole attacks, wherein legitimate websites are compromised to lure victims into executing malicious commands.\n\nSekoia TDR implemented an advanced detection capability to identify these watering hole attacks, utilizing generic YARA rules to scan for compromised web pages featuring the ClickFix tactic. These rules are based on specific keywords, resource patterns, and JavaScript functions associated with the tactic's implementation.", "modified": "2026-03-01T07:06:08.143000", "created": "2026-01-30T07:41:36.705000", "tags": [ "wordpress", "iclickfix", "clickfix", "javascript", "netsupport rat", "clickfix lure", "february", "december", "november", "clearfake", "loader", "code", "advent", "elementor", "xfiles", "netsupport" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ghana", "United States of America" ], "malware_families": [ { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Government", "Defense", "Energy", "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 80, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 15, "URL": 13, "YARA": 6, "hostname": 4 }, "indicator_count": 140, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Xfiles stealer", "Emmenhtal loader", "Netsupport rat" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Xfiles stealer", "Clickfix", "Emmenhtal loader", "Netsupport rat" ], "industries": [ "Defense", "Government", "Energy", "Telecom" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "697c69b9af67a1f288275176", "name": "Meet IClickFix: a widespread framework using the ClickFix tactic", "description": "IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.", "modified": "2026-03-01T08:03:12.270000", "created": "2026-01-30T08:20:09.209000", "tags": [ "emmenhtal loader", "netsupport rat", "watering hole", "xfiles stealer", "social engineering", "clickfix", "wordpress", "javascript", "captcha" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ghana" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Emmenhtal Loader", "display_name": "Emmenhtal Loader", "target": null }, { "id": "XFiles Stealer", "display_name": "XFiles Stealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 74, "FileHash-MD5": 10, "FileHash-SHA1": 16, "FileHash-SHA256": 14, "URL": 13, "hostname": 4 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 387038, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69819eab7b692a1e4028d659", "name": "Meet IClickFix: a widespread framework using the ClickFix tactic", "description": "", "modified": "2026-03-01T08:03:12.270000", "created": "2026-02-03T07:07:23.413000", "tags": [ "emmenhtal loader", "netsupport rat", "watering hole", "xfiles stealer", "social engineering", "clickfix", "wordpress", "javascript", "captcha" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ghana" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Emmenhtal Loader", "display_name": "Emmenhtal Loader", "target": null }, { "id": "XFiles Stealer", "display_name": "XFiles Stealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "697c69b9af67a1f288275176", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 74, "FileHash-MD5": 10, "FileHash-SHA1": 16, "FileHash-SHA256": 14, "URL": 13, "hostname": 4 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c60b0bb54100596b6a5d7", "name": "Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic", "description": "In November 2025, threat analysts from Sekoia TDR discovered a malware distribution campaign targeting WordPress websites using a social engineering tactic known as ClickFix, facilitated through a Traffic Distribution System (TDS). This campaign primarily employed watering hole attacks, wherein legitimate websites are compromised to lure victims into executing malicious commands.\n\nSekoia TDR implemented an advanced detection capability to identify these watering hole attacks, utilizing generic YARA rules to scan for compromised web pages featuring the ClickFix tactic. These rules are based on specific keywords, resource patterns, and JavaScript functions associated with the tactic's implementation.", "modified": "2026-03-01T07:06:08.143000", "created": "2026-01-30T07:41:36.705000", "tags": [ "wordpress", "iclickfix", "clickfix", "javascript", "netsupport rat", "clickfix lure", "february", "december", "november", "clearfake", "loader", "code", "advent", "elementor", "xfiles", "netsupport" ], "references": [ "https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ghana", "United States of America" ], "malware_families": [ { "id": "ClickFix", "display_name": "ClickFix", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Government", "Defense", "Energy", "Telecom" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 80, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 15, "URL": 13, "YARA": 6, "hostname": 4 }, "indicator_count": 140, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "scottvmorton.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "scottvmorton.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780472095.1711438 }