{ "type": "Domain", "indicator": "ttxttx.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ttxttx.com", "alexa": "http://www.alexa.com/siteinfo/ttxttx.com", "indicator": "ttxttx.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4100923732, "indicator": "ttxttx.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "68e94967bcab143b278f0611", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It includes advanced features such as operating system detection and clipboard injection, enabling low-effort, cross-platform malware deployment.", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-10T17:59:02.682000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": null, "export_count": 105, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 387121, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a8aa737add292d5ee2097f", "name": "Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure", "description": "A sophisticated phishing campaign targeting macOS users employs a technique called Clickfix, which tricks victims into running terminal commands that execute malicious AppleScript. This script steals sensitive data including browser profiles, crypto wallets, and personal files. The attackers use fake security prompts and CAPTCHA pages on domains like cryptoinfo-news.com to appear legitimate. The stolen data is exfiltrated to command and control servers, some of which run on unusual ports. The campaign's infrastructure spans multiple regions, with several C2 servers hosted in Russia. The analysis uncovered over 50 related servers with similar configurations, suggesting a financially motivated and globally distributed operation.", "modified": "2025-09-21T17:06:17.019000", "created": "2025-08-22T17:35:47.118000", "tags": [ "cryptowallet", "macos", "phishing", "data theft", "applescript", "terminal commands", "c2 infrastructure", "clickfix" ], "references": [ "https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Clickfix", "display_name": "Clickfix", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 16, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 387121, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e9c1d0fd06a823988cd769", "name": "IOC - The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "Attackers are packaging a highly effective social engineering technique known as ClickFix into easy-to-use phishing kits, making it accessible to a wider range of threat actors. This technique tricks victims into bypassing security measures by manually executing malware, typically information stealers and remote access Trojans (RATs). The commoditization of this technique follows the trend of phishing-as-a-service, lowering the skill and effort required to conduct successful attacks.", "modified": "2025-11-10T02:04:42.912000", "created": "2025-10-11T02:32:48.918000", "tags": [ "odyssey", "deerstealer", "ipv4", "malware", "clickfix", "odyssey malware", "ip address", "first seen", "seen malware", "odyssey table" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 18, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68edfc736f1c7651872f4359", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-14T07:32:03.410000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": "68e94967bcab143b278f0611", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e817f0dabc6208c9dd969b", "name": "ClickFix Attacks Were Automated By IUAM ClickFix Generator", "description": ".", "modified": "2025-11-08T20:06:04.056000", "created": "2025-10-09T20:15:44.672000", "tags": [ "odyssey", "deerstealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e774395fed412caea716e4", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator.", "description": "The malicious technique known as ClickFix is being commoditized into easily accessible phishing kits, allowing a broader range of threat actors to utilize it effectively. This social engineering method manipulates users into bypassing security protocols by manually executing malware, which is typically designed for information theft and remote access control. The trend reflects the broader phenomenon of phishing-as-a-service, which reduces the technical expertise required for executing successful attacks. Recent investigations uncovered a phishing kit generator publicly accessible at IP address 38.242.212.5, first detected on July 18, 2025, and operating until early October. Attackers have leveraged this kit to create numerous phishing pages themed around ClickFix, which cleverly mimic browser verification challenges employed by CDN and web security platforms.", "modified": "2025-11-08T08:01:25.309000", "created": "2025-10-09T08:37:13.144000", "tags": [ "odyssey", "deerstealer", "ipv4", "malware", "clickfix", "odyssey malware", "ip address", "first seen", "seen malware", "odyssey table" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 26, "domain": 18, "hostname": 3 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6880e92486e34c26bca7cd67", "name": "Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure", "description": "", "modified": "2025-08-22T13:03:04.127000", "created": "2025-07-23T13:52:36.705000", "tags": [ "clickfix", "app store", "strong", "like", "port", "delivery", "http", "campaign", "steal data", "iocs", "phishing", "desktop", "accept", "cookie", "terminal", "virustotal", "main", "patch" ], "references": [ "https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 16, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/", "https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Clickfix", "Odyssey", "Deerstealer" ], "industries": [ "Information technology", "Finance" ] }, "other": { "adversary": [], "malware_families": [ "Odyssey", "Deerstealer" ], "industries": [ "Information technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "68e94967bcab143b278f0611", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "Palo Alto Unit42 have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It includes advanced features such as operating system detection and clipboard injection, enabling low-effort, cross-platform malware deployment.", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-10T17:59:02.682000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": null, "export_count": 105, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 387121, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a8aa737add292d5ee2097f", "name": "Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure", "description": "A sophisticated phishing campaign targeting macOS users employs a technique called Clickfix, which tricks victims into running terminal commands that execute malicious AppleScript. This script steals sensitive data including browser profiles, crypto wallets, and personal files. The attackers use fake security prompts and CAPTCHA pages on domains like cryptoinfo-news.com to appear legitimate. The stolen data is exfiltrated to command and control servers, some of which run on unusual ports. The campaign's infrastructure spans multiple regions, with several C2 servers hosted in Russia. The analysis uncovered over 50 related servers with similar configurations, suggesting a financially motivated and globally distributed operation.", "modified": "2025-09-21T17:06:17.019000", "created": "2025-08-22T17:35:47.118000", "tags": [ "cryptowallet", "macos", "phishing", "data theft", "applescript", "terminal commands", "c2 infrastructure", "clickfix" ], "references": [ "https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Clickfix", "display_name": "Clickfix", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 16, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 387121, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e9c1d0fd06a823988cd769", "name": "IOC - The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "Attackers are packaging a highly effective social engineering technique known as ClickFix into easy-to-use phishing kits, making it accessible to a wider range of threat actors. This technique tricks victims into bypassing security measures by manually executing malware, typically information stealers and remote access Trojans (RATs). The commoditization of this technique follows the trend of phishing-as-a-service, lowering the skill and effort required to conduct successful attacks.", "modified": "2025-11-10T02:04:42.912000", "created": "2025-10-11T02:32:48.918000", "tags": [ "odyssey", "deerstealer", "ipv4", "malware", "clickfix", "odyssey malware", "ip address", "first seen", "seen malware", "odyssey table" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 18, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68edfc736f1c7651872f4359", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator", "description": "", "modified": "2025-11-09T17:03:04.892000", "created": "2025-10-14T07:32:03.410000", "tags": [ "ClickFix", "clipboard", "phishing", "deerstealer", "rat", "remote access", "captcha", "odyssey", "infostealer", "iuam", "clickfix generator", "macos" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "DeerStealer", "display_name": "DeerStealer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Information Technology" ], "TLP": "white", "cloned_from": "68e94967bcab143b278f0611", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e817f0dabc6208c9dd969b", "name": "ClickFix Attacks Were Automated By IUAM ClickFix Generator", "description": ".", "modified": "2025-11-08T20:06:04.056000", "created": "2025-10-09T20:15:44.672000", "tags": [ "odyssey", "deerstealer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 26, "domain": 19, "hostname": 4 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e774395fed412caea716e4", "name": "The ClickFix Factory: First Exposure of IUAM ClickFix Generator.", "description": "The malicious technique known as ClickFix is being commoditized into easily accessible phishing kits, allowing a broader range of threat actors to utilize it effectively. This social engineering method manipulates users into bypassing security protocols by manually executing malware, which is typically designed for information theft and remote access control. The trend reflects the broader phenomenon of phishing-as-a-service, which reduces the technical expertise required for executing successful attacks. Recent investigations uncovered a phishing kit generator publicly accessible at IP address 38.242.212.5, first detected on July 18, 2025, and operating until early October. Attackers have leveraged this kit to create numerous phishing pages themed around ClickFix, which cleverly mimic browser verification challenges employed by CDN and web security platforms.", "modified": "2025-11-08T08:01:25.309000", "created": "2025-10-09T08:37:13.144000", "tags": [ "odyssey", "deerstealer", "ipv4", "malware", "clickfix", "odyssey malware", "ip address", "first seen", "seen malware", "odyssey table" ], "references": [ "https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Odyssey", "display_name": "Odyssey", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 26, "domain": 18, "hostname": 3 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6880e92486e34c26bca7cd67", "name": "Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure", "description": "", "modified": "2025-08-22T13:03:04.127000", "created": "2025-07-23T13:52:36.705000", "tags": [ "clickfix", "app store", "strong", "like", "port", "delivery", "http", "campaign", "steal data", "iocs", "phishing", "desktop", "accept", "cookie", "terminal", "virustotal", "main", "patch" ], "references": [ "https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 16, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ttxttx.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ttxttx.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780499213.7939484 }