Meet IClickFix: a widespread framework using the ClickFix tactic

IClickFix is a malicious framework that compromises WordPress sites to distribute malware using the ClickFix social engineering tactic. Active since December 2024, it has infected over 3,800 WordPress sites globally. The framework injects malicious JavaScript into compromised sites, leading users through a fake CAPTCHA challenge that tricks them into executing malicious code. This ultimately installs NetSupport RAT, granting attackers full control of infected systems. The campaign has evolved over time, adding traffic distribution systems and refining its lures. While initially distributing Emmenhtal Loader and XFiles Stealer, it now primarily delivers NetSupport RAT. The widespread nature of the attacks suggests opportunistic exploitation rather than targeted campaigns.

Pulse ID: 697c69b9af67a1f288275176
Pulse Link: https://otx.alienvault.com/pulse/697c69b9af67a1f288275176
Pulse Author: AlienVault
Created: 2026-01-30 08:20:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CAPTCHA #CyberSecurity #InfoSec #Java #JavaScript #Malware #NetSupport #NetSupportRAT #OTX #OpenThreatExchange #RAT #RDP #SocialEngineering #Word #Wordpress #bot #AlienVault

Our latest TDR report on the #IClickFix framework:

📊 3,800+ WordPress sites compromised worldwide
⚙️ Multi-stage JavaScript loader
🚦 Abusing YOURLS as TDS
🖱️ Fake Cloudflare CAPTCHA and #ClickFix lure
🦠 #NetSupport RAT payload

https://infosec.exchange/@sekoia_io/115977607660963600

#TDR analysts deep dived into a widespread malicious JavaScript framework injected into 3,800+ WordPress sites to distribute #NetSupport RAT via the #ClickFix social engineering tactic.

https://blog.sekoia.io/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic/

2025-12-29 (Monday): #ClickFix page leads to #NetSupportRAT infection.

Details at www.malware-traffic-analysis.net/2025/12/29/index.html

Of note, this is not from the usual ClickFix campaigns that I track. While #SmartApeSG has often pushed #NetSupport #RAT, this is a completely different vector for the initial URL.

The initial sites.google[.]com URLs for this campaign are sent via email. But I don't have an example for this particular infection chain.

«Медвед» атакует: что мы узнали про фишинговую кампанию группировки, нацеленной на российские организации

В октябре 2025 года мы, группа киберразведки департамента Threat Intelligence, зафиксировала продолжающуюся фишинговую активность хакерской группировки, которую мы назвали NetMedved. Обоснование выбора данного наименования будет рассмотрено в заключительной части статьи. Атаки хакеров ориентированы на российские организации; в качестве конечной полезной нагрузки используется вредоносная версия легитимного инструмента удалённого администрирования NetSupport Manager (далее — NetSupportRAT). В этой статье расскажем о специфике кампании и связи с нашими предыдущими находками.

https://habr.com/ru/companies/pt/articles/968572/

#киберразведка #расследование_инцидентов #кибератаки #хакерская_группировка #хакерские_инструменты #фишинговые_письма #вредоносное_программное_обеспечение #малварь #finger #netsupport

⚠️ CVE-2025-34164: HIGH-severity heap overflow in NetSupport Manager 14.x (<14.12.0000) lets remote attackers cause DoS or run code—no auth needed. Restrict access & prep to patch! https://radar.offseq.com/threat/cve-2025-34164-cwe-122-heap-based-buffer-overflow--7fdd6f7b #OffSeq #NetSupport #Vulnerability #Cybersecurity

⚠️ CVE-2025-34165: NetSupport Manager 14.x (pre-14.12.0000) HIGH severity stack-based buffer overflow allows remote, unauthenticated DoS or memory leak. Restrict access, monitor for attacks, prep for patching. https://radar.offseq.com/threat/cve-2025-34165-cwe-121-stack-based-buffer-overflow-e4ea3e1b #OffSeq #NetSupport #Vuln #BlueTeam

2025-08-22 (Friday): #SmartApeSG for #NetSupport #RAT (#NetSupportRAT)

Some sites have injected script that leads directly to the fake CAPTCHA page for #ClickFix instructions.

Other sites have injected script that redirects to the URL for the fake CAPTCHA page.

Direct example (compromised site --> script for CAPTCHA page):

- hxxps[:]//mexicobusiness[.]news/
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Recirect example (compromised site --> Redirect URL --> script for CAPTCHA page):

- hxxps[:]//myvocabulary[.]com/
- hxxps[:]//myevmanual[.]com/d.js <-- 302 found for next URL
- hxxps[:]//clouwave[.]net/ajax/pixi.min.js

Either way, you get the same CAPTCHA page.

IOCs at https://github.com/malware-traffic/indicators/blob/main/2025-08-22-IOCs-for-SmartApeSG-activity.txt

cc: @monitorsg

2025-08-20 (Wednesday): #SmartApeSG for fake #CAPTCHA page with #ClickFix instructions that led to an MSI file for #NetSupport #RAT and the #NetSupportRAT infection led to #StealCv2.

Malware samples, a #pcap, and indicators at www.malware-traffic-analysis.net/2025/08/20/index.html

🚨 How #Rhadamanthys Stealer Slips Past Defenses using ClickFix
⚠️ Rhadamanthys is now delivered via ClickFix, combining technical methods and social engineering to bypass automated security solutions, making detection and response especially challenging.
👾 While earlier ClickFix campaigns mainly deployed #NetSupport RAT or #AsyncRAT, this C++ infostealer ranks in the upper tier for advanced evasion techniques and extensive data theft capabilities.

#ANYRUN Sandbox lets SOC teams observe and execute complex chains, revealing evasive behavior and providing intelligence that can be directly applied to detection rules, playbooks, and proactive hunting.

🔗 Execution Chain:
ClickFix ➡️ msiexec ➡️ exe-file ➡️ infected system file ➡️ PNG-stego payload

In a recent campaign, the phishing domain initiates a ClickFix flow (#MITRE T1566), prompting the user to execute a malicious MSI payload hosted on a remote server.

🥷 The installer is silently executed in memory (#MITRE T1218.007), deploying a stealer component into a disguised software directory under the user profile.

The dropped binary performs anti-VM checks (T1497.001) to avoid analysis.

In later stages, a compromised system file is used to initiate a TLS connection directly to an IP address, bypassing DNS monitoring.

📌 For encryption, attackers use self-signed TLS certificates with mismatched fields (e.g., Issuer or Subject), creating distinctive indicators for threat hunting and expanding an organization’s visibility into its threat landscape.

🖼️ The C2 delivers an obfuscated PNG containing additional payloads via steganography (T1027.003), extending dwell time and complicating detection.

🎯 See execution on a live system and download actionable report: https://app.any.run/tasks/a101654d-70f9-40a5-af56-1a8361b4ceb0/?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_term=120825&utm_content=linktoservice

🔍 Use these #ANYRUN TI Lookup search queries to track similar campaigns and enrich #IOCs with live attack data from threat investigations across 15K SOCs:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522threatName:%255C%2522clickfix%255C%2522%2522,%2522dateRange%2522:180%7D
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522threatName:%255C%2522rhadamanthys%255C%2522%2522,%2522dateRange%2522:180%7D
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522(threatName:%255C%2522clickfix%255C%2522%2520OR%2520threatName:%255C%2522susp-clipboard%255C%2522)%2520AND%2520threatName:%255C%2522netsupport%255C%2522%2522,%2522dateRange%2522:180%7D
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rhadamanthys&utm_content=linktoti&utm_term=120825#%7B%2522query%2522:%2522(threatName:%255C%2522clickfix%255C%2522%2520OR%2520threatName:%255C%2522susp-clipboard%255C%2522)%2520AND%2520threatName:%255C%2522asyncrat%255C%2522%2522,%2522dateRange%2522:180%7D

👾 IOCs:
84.200[.]80.8
179.43[.]141.35
194.87[.]29.253
flaxergaurds[.]com
temopix[.]com
zerontwoposh[.]live
loanauto[.]cloud
wetotal[.]net
Find more indicators in the comments 💬

Protect critical assets with faster, deeper visibility into complex threats using #ANYRUN 🚀

#cybersecurity #infosec

🚨 #NetSupport RAT is a legit remote access app turned cyber weapon. Its activity spiked in 2025 with data theft attacks targeting healthcare, government, and SMBs in NA and EU.

👨‍💻 Read report and see analysis of a fresh sample: https://any.run/malware-trends/netsupport/?utm_source=mastodon&utm_medium=post&utm_campaign=netsupport_card&utm_term=070825&utm_content=linktomtt

#cybersecurity #infosec

🚨 #NetSupport RAT is a legit remote access app turned cyber weapon.
Its activity spiked in 2025 with data theft attacks targeting healthcare, government, and SMBs in NA and EU.

👨‍💻 Read report and see analysis of a fresh sample: https://any.run/malware-trends/netsupport/?utm_source=mastodon&utm_medium=post&utm_campaign=netsupport&utm_content=tracker&utm_term=280725

#infosec #cybersecurity

2025-07-15 (Tuesday): Tracking #SmartApeSG

The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site (same as yesterday):

- medthermography[.]com

URLs for ClickFix style fake verification page:

- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9

Running the script for NetSupport RAT:

- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773

#NetSupport RAT server (same as yesterday):

- 185.163.45[.]87:443

2025-07-14 (Monday): #SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.

Compromised site:

- medthermography[.]com

URLs for ClickFix style fake verification page:

- lebensversicherungvergleich[.]top/jjj/include.js
- lebensversicherungvergleich[.]top/jjj/index.php?OtKXgPVX
- lebensversicherungvergleich[.]top/jjj/buffer.js?4261984971

Running the script for NetSupport RAT:

- affordableasphalt-paving[.]com/lal.ps1
- affordableasphalt-paving[.]com/lotu.zip?l=3526

#NetSupport RAT server:

- 185.163.45[.]87:443

🚨 #Obfuscated BAT file used to deliver NetSupport RAT

At the time of the analysis, the sample had not yet been submitted to #VirusTotal ⚠️

👨‍💻 See sandbox session: https://app.any.run/tasks/db6fcb53-6f10-464e-9883-72fd7f1db294?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_bat_file&utm_content=linktoservice&utm_term=050625

🔗 Execution chain:
cmd.exe (BAT) ➡️ #PowerShell ➡️ PowerShell ➡️ #client32.exe (NetSupport client) ➡️ reg.exe

Key details:
🔹 Uses a 'client32' process to run #NetSupport #RAT and add it to autorun in registry via reg.exe
🔹 Creates an 'Options' folder in %APPDATA % if missing
🔹 NetSupport client downloads a task .zip file, extracts, and runs it from %APPDATA%\Application .zip
🔹 Deletes ZIP files after execution

❗️ BAT droppers remain a common choice in attacks as threat actors continue to find new methods to evade detection.

Use #ANYRUN’s Interactive Sandbox to quickly trace the full execution chain and uncover #malware behavior for fast and informed response.

#cybersecurity #infosec

2025-03-26 (Wednesday): #SmartApeSG traffic for a fake browser update page leads to a #NetSupport #RAT infection. A zip archive for #StealC sent over the #NetSupportRAT C2 traffic.

The #StealC infection uses DLL side-loading by a legitimate EXE to #sideload the malicious DLL.

A #pcap from an infection, the associated #malware samples, and #IOCs are available at at https://www.malware-traffic-analysis.net/2025/03/26/index.html

Важко це визнавати, але рівень технічних спеціалістів серед провайдерів швидко падає.

І це я пишу не про провайдерів домосєток. 😟

#ukraine #netsupport

#webshell #opendir #netsupport #rat at:

https://appointedtimeagriculture\.com/wp-includes/blocks/post-content/

GatewayAddress=95.179.158.213:443
RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA

2024-12-24 (Tuesday)

#SmartApeSG infection chain starting with we-careu[.]xyz/work/original.js from compromised site.

Ends with #NetSupport #RAT using the same 194.180.191[.]64 C2 address we've seen since November.

2024-12-17 (Tuesday): #SmartApeSG injected script leads to fake browser update page, and that page leads to a #NetSupport #RAT infection.

Just like my last post here, there are 2 injected scripts in a page from the compromised site, one using using depostsolo[.]biz and one using tactlat[.]xyz.

A #pcap of the infection traffic, associated malware samples and more information is available at https://www.malware-traffic-analysis.net/2024/12/17/index.html

NetSupportRAT C2 for this campaign continues to be 194.180.191[.]64 since as early as 2024-11-22.

#FakeUpdates #NetSupportRAT