{ "Event": { "analysis": "1", "date": "2026-04-23", "extends_uuid": "", "info": "[Threat Intel] Analyzing a Full ClickFix Attack Chain - Part 1", "protected": false, "publish_timestamp": "1779545421", "published": true, "threat_level_id": "3", "timestamp": "1779545421", "uuid": "a8854b24-212d-4872-bb4f-8154535c7c42", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Copy and Paste - T1204.004\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#1a8d0c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Time Discovery - T1124\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776999609", "to_ids": false, "type": "link", "uuid": "d6539afe-50c9-4e40-baba-96597c7b6654", "value": "https://www.stormshield.com/news/analyzing-full-clickfix-attack-chain-part1/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776999609", "to_ids": false, "type": "text", "uuid": "0a2ea3d7-e287-447a-946a-62437a74e5d2", "value": "A sophisticated ClickFix campaign was detected in mid-March 2026, beginning with a malicious webpage impersonating Booking.com's visual identity with a fake CAPTCHA. The attack leverages social engineering to trick victims into executing a PowerShell command that downloads and runs a script directly in memory. The JavaScript code automatically copies malicious commands to the clipboard and intercepts copy events. Once executed, the PowerShell dropper performs system fingerprinting, downloads a ZIP payload from a remote server, deploys it to user directories, establishes persistence through registry keys and scheduled tasks, and executes the final payload. The campaign demonstrates well-structured code with fallback mechanisms and real-time telemetry via Telegram, suggesting the use of a ready-to-use attack kit." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776999609", "to_ids": false, "type": "text", "uuid": "c98f60d2-1585-4ed7-bd5e-eefcb3d4cc72", "value": "Name: Analyzing a Full ClickFix Attack Chain - Part 1\nAuthor: AlienVault\nAdversary: \nTags: [\"powershell\", \"fileless execution\", \"dropper\", \"persistence mechanism\", \"phishing\", \"social engineering\", \"clickfix\", \"fake captcha\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: []\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610546", "to_ids": true, "type": "domain", "uuid": "94240ad1-c83c-4fdc-b67e-8c6321d3f686", "value": "hailmeinc.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610568", "to_ids": true, "type": "url", "uuid": "05ebb918-0676-4a6d-8b20-fc70f00c88bd", "value": "https://hailmeinc.com/bkmsiqop.zip", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610589", "to_ids": true, "type": "domain", "uuid": "27b26e25-92f9-4a99-bf69-25820edb60db", "value": "accountpulsecentre.help", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610610", "to_ids": true, "type": "url", "uuid": "51142edf-b985-4d24-b1aa-663aed1d153d", "value": "https://hailmeinc.com/bkmsiqop.zip'", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610631", "to_ids": true, "type": "url", "uuid": "be4d069f-0998-4478-84bf-cf9fb5a9c8e0", "value": "https://wiosyrondaty.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610652", "to_ids": true, "type": "domain", "uuid": "9559faf3-8dd6-4495-acbe-c0707dca1666", "value": "textarea.select", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610673", "to_ids": true, "type": "domain", "uuid": "fd12c96d-e2b6-4343-bba1-9a5fcb0d877a", "value": "wiosyrondaty.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610694", "to_ids": true, "type": "url", "uuid": "d8cb8844-435f-4880-9555-b51f75773cd0", "value": "https://accountpulsecentre.help/ern-ZIoCCeHgBJpt2g33q1ZHZmrC2jCoRE1hGJ5O38s?get_command=1", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610715", "to_ids": true, "type": "url", "uuid": "25a19f5b-94c0-4538-a31f-533910bc9c8c", "value": "https://wiosyrondaty.com/0I7IRN3o4o8GefoYto39mLjnEmdxcEEK73hReyAT6-A", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545420", "to_ids": true, "type": "sha256", "uuid": "b2ab1019-eb09-442d-8954-c82bfcafb5ef", "value": "d67c7cddbe74beb6b7ca9dac2d4795a2bba539cc49497161149e61f07ddc753e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545419", "uuid": "633de249-5081-4d9e-9a92-44cdde7d76da", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545418", "to_ids": true, "type": "md5", "uuid": "c349b676-20c8-4fad-a70f-1689b81fe820", "value": "56ac741cf003c2973d0279e0cc9e96b1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545418", "to_ids": true, "type": "sha1", "uuid": "55934bf0-5877-4831-ab00-5375e7ff64ac", "value": "5c156be40c97133464e03ddb644a897ea3d87fb5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545419", "to_ids": true, "type": "sha256", "uuid": "2ba5a6ca-402c-4836-bfad-c666295459bc", "value": "84dffd306e8bbdf1c1eaf39526dba36c8c442c673348c63445e848aec737e0ba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777607957", "to_ids": true, "type": "ssdeep", "uuid": "32af4adc-97b3-4538-a9ed-6453fccada3a", "value": "196608:+ZftcqQuVgiVT2VrOSOR8A0uU+HB/OGUElH6XU8YYlbHXUX:+B+qntTAZOR8ArU+h/PUEl0U8YYlbEX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777607957", "to_ids": false, "type": "size-in-bytes", "uuid": "e982d857-c9ec-4800-837e-5514ea1848e3", "value": "7758047" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777607957", "to_ids": true, "type": "vhash", "uuid": "c3b843eb-e359-4245-a37d-96e4f0eb8069", "value": "1d3bdf5d2a1e9ec62668de44a2c93ecd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777607957", "to_ids": true, "type": "filename", "uuid": "aa8955e4-5789-4484-88b2-72a242eb0d28", "value": "84dffd306e8bbdf1c1eaf39526dba36c8c442c673348c63445e848aec737e0ba.zip" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 29/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777607957", "to_ids": false, "type": "text", "uuid": "78153d59-d143-49fa-b7a2-d6c9a9b02cbc", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:42/68\nFirst Submission:2026-03-06T06:13:37.000000+00:00\nLast Submission:2026-03-06T14:22:48.000000+00:00" } ] } ] } }